Edit tour

Windows Analysis Report
habHh1BC0L.dll

Overview

General Information

Sample name:	habHh1BC0L.dll renamed because original name is a hash value
Original sample name:	a34d8bd7493c5f8c2bf381a0267de463.dll
Analysis ID:	1591365
MD5:	a34d8bd7493c5f8c2bf381a0267de463
SHA1:	19326be1a905a053f95cef69a630d30cb298bd5b
SHA256:	133e1d4c87a3728c2888997025565651e654f5af74c5428f822c9c058ec3b35e
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7300 cmdline: loaddll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7372 cmdline: rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7440 cmdline: C:\WINDOWS\mssecsvr.exe MD5: FF830E078CB269B709C952BDF1F34D24)

tasksche.exe (PID: 7700 cmdline: C:\WINDOWS\tasksche.exe /i MD5: CBB4BE2403D2BE4554AA9BE6B49A7B62)

rundll32.exe (PID: 7360 cmdline: rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 7620 cmdline: C:\WINDOWS\mssecsvr.exe MD5: FF830E078CB269B709C952BDF1F34D24)

tasksche.exe (PID: 7904 cmdline: C:\WINDOWS\tasksche.exe /i MD5: CBB4BE2403D2BE4554AA9BE6B49A7B62)

mssecsvr.exe (PID: 7568 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: FF830E078CB269B709C952BDF1F34D24)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
habHh1BC0L.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
habHh1BC0L.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1336734524.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1389292837.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1365918332.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1359729095.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2016361125.0000000002384000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2015998105.0000000001E5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7440	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7568	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 7620	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.1e4d084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.23758c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e4d084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e4d084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1e4d084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2384948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2384948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2384948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.23758c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.23758c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.23758c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e5c104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e5c104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1e5c104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e580a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e580a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1e5c104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e5c104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.23808e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.23808e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2384948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2384948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
Click to see the 35 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T22:43:00.434570+0100	2803304	3	Unknown Traffic	192.168.2.9	49727	103.224.212.215	80	TCP
2025-01-14T22:43:02.106468+0100	2803304	3	Unknown Traffic	192.168.2.9	49740	103.224.212.215	80	TCP
2025-01-14T22:45:08.618751+0100	2803304	3	Unknown Traffic	192.168.2.9	52883	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T22:42:59.628747+0100	2830018	1	A Network Trojan was detected	192.168.2.9	64051	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: habHh1BC0L.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e63794	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5fe8	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939b2	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=202	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0845-0884-8536-91f430fa231d	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e6379487	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/Rasftuby.cpsmo

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 86%
Source: C:\Windows\eee.exe	ReversingLabs: Detection: 12%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: habHh1BC0L.dll	Virustotal: Detection: 95%			Perma Link
Source: habHh1BC0L.dll	ReversingLabs: Detection: 92%

Machine Learning detection for dropped file

Source: C:\Windows\eee.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: habHh1BC0L.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: habHh1BC0L.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source:

Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: tasksche.exe, 0000000B.00000000.1373149945.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmp, tasksche.exe, 0000000C.00000002.2589033370.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000000.1387882069.000000000042A000.00000002.00000001.01000000.00000007.sdmp, habHh1BC0L.dll, tasksche.exe.6.dr

Source: C:\Windows\tasksche.exe	Code function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		11_2_00409476
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040DE5E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		11_2_0040DE5E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.9:64051 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.9:52262 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0843-0023-a483-adfaa7c939b2 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0843-0290-ac2b-9956998a5fe8 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890980.6404981
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0843-02ad-b855-1345e6379487 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0845-0884-8536-91f430fa231d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49740 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49727 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:52883 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.227
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.227
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.227
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.227
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 100.186.60.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.207
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.207
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.207
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.207
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 99.38.44.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.167
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.167
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.167
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.167
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.201.178.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0843-0023-a483-adfaa7c939b2 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0843-0290-ac2b-9956998a5fe8 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890980.6404981
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0843-02ad-b855-1345e6379487 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-0845-0884-8536-91f430fa231d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=202
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939
Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5f
Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e63794
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A
Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X
Source: habHh1BC0L.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/$
Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2f
Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/g
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/l
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/ll)
Source: mssecsvr.exe, 00000008.00000002.2014176011.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comq
Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comsf:

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: habHh1BC0L.dll, type: SAMPLE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e580a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e5c104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.23808e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2384948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1336734524.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1389292837.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1365918332.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1359729095.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2016361125.0000000002384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2015998105.0000000001E5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 7620, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: habHh1BC0L.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e4d084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.23758c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e580a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e5c104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.23808e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2384948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)

Source: C:\Windows\tasksche.exe

Code function: 11_2_0040690A: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

11_2_0040690A

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\Windows\__tmp_rar_sfx_access_check_5077250	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\Windows\eee.exe	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\Windows\__tmp_rar_sfx_access_check_5078562	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\Windows\eee.exe	Jump to behavior

Source: C:\Windows\tasksche.exe

File deleted: C:\Windows\__tmp_rar_sfx_access_check_5077250

Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 11_2_00402F2C	11_2_00402F2C
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041B0D9	11_2_0041B0D9
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041B8B9	11_2_0041B8B9
Source: C:\Windows\tasksche.exe	Code function: 11_2_00414946	11_2_00414946
Source: C:\Windows\tasksche.exe	Code function: 11_2_00410178	11_2_00410178
Source: C:\Windows\tasksche.exe	Code function: 11_2_00404986	11_2_00404986
Source: C:\Windows\tasksche.exe	Code function: 11_2_00429241	11_2_00429241
Source: C:\Windows\tasksche.exe	Code function: 11_2_0042727C	11_2_0042727C
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040CB23	11_2_0040CB23
Source: C:\Windows\tasksche.exe	Code function: 11_2_004283FC	11_2_004283FC
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041AC04	11_2_0041AC04
Source: C:\Windows\tasksche.exe	Code function: 11_2_00416C3F	11_2_00416C3F
Source: C:\Windows\tasksche.exe	Code function: 11_2_00401CC1	11_2_00401CC1
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041F4D4	11_2_0041F4D4
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041BCD9	11_2_0041BCD9
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040C4FF	11_2_0040C4FF
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041B4AD	11_2_0041B4AD
Source: C:\Windows\tasksche.exe	Code function: 11_2_00417D78	11_2_00417D78
Source: C:\Windows\tasksche.exe	Code function: 11_2_00427D04	11_2_00427D04
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041450F	11_2_0041450F
Source: C:\Windows\tasksche.exe	Code function: 11_2_00415D9A	11_2_00415D9A
Source: C:\Windows\tasksche.exe	Code function: 11_2_00405610	11_2_00405610
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041462B	11_2_0041462B
Source: C:\Windows\tasksche.exe	Code function: 11_2_00413EE3	11_2_00413EE3
Source: C:\Windows\tasksche.exe	Code function: 11_2_004106F4	11_2_004106F4
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040C756	11_2_0040C756
Source: C:\Windows\tasksche.exe	Code function: 11_2_004277C0	11_2_004277C0

Source: Joe Sandbox View

Dropped File: C:\Windows\eee.exe 92B0BECA439DB25D7098379CEE580FA69F6F5E7271708BDEC03AB8FF526426D8

Source: C:\Windows\tasksche.exe	Code function: String function: 0041AAF0 appears 49 times
Source: C:\Windows\tasksche.exe	Code function: String function: 0041A4DC appears 37 times
Source: C:\Windows\tasksche.exe	Code function: String function: 0041FA9C appears 38 times

Source: eee.exe.11.dr

Static PE information: No import functions for PE file found

Source: habHh1BC0L.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: habHh1BC0L.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e4d084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.23758c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e580a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e5c104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.23808e8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2384948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/3@2/100

Source: C:\Windows\tasksche.exe

Code function: 11_2_00406553 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

11_2_00406553

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\tasksche.exe

Code function: 11_2_00419BB0 CoCreateInstance,

11_2_00419BB0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\tasksche.exe

File created: C:\Users\user\New folder

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03

Source: C:\Windows\tasksche.exe	Command line argument: sfxname	11_2_0040FEF0
Source: C:\Windows\tasksche.exe	Command line argument: sfxstime	11_2_0040FEF0
Source: C:\Windows\tasksche.exe	Command line argument: STARTDLG	11_2_0040FEF0
Source: C:\Windows\tasksche.exe	Command line argument: @CB	11_2_00424290

Source: habHh1BC0L.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\tasksche.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame

Source: habHh1BC0L.dll	Virustotal: Detection: 95%
Source: habHh1BC0L.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\mssecsvr.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\mssecsvr.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK
Source: C:\Windows\tasksche.exe	Automated click: OK

Source: C:\Windows\tasksche.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: habHh1BC0L.dll

Static file information: File size 5267459 > 1048576

Source: habHh1BC0L.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source:

Source: C:\Windows\tasksche.exe

Code function: 11_2_0040CEB6 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_0040CEB6

Source: C:\Windows\tasksche.exe

File created: C:\Windows\__tmp_rar_sfx_access_check_5077250

Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 11_2_0041FAE1 push ecx; ret		11_2_0041FAF4
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041A4DC push eax; ret		11_2_0041A4FA

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\mssecsvr.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvr.exe			Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\tasksche.exe	File created: C:\Windows\eee.exe	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\tasksche.exe	File created: C:\Windows\eee.exe	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\tasksche.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\tasksche.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\tasksche.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\tasksche.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\tasksche.exe

Dropped PE file which has not been started: C:\Windows\eee.exe

Jump to dropped file

Source: C:\Windows\tasksche.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_11-19226
Source: C:\Windows\tasksche.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_11-19426

Source: C:\Windows\mssecsvr.exe TID: 7680	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7680	Thread sleep time: -182000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7684	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7684	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 7680	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\tasksche.exe	Code function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		11_2_00409476
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040DE5E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		11_2_0040DE5E

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: tasksche.exe, 0000000C.00000002.2590376299.00000000056E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
Source: tasksche.exe, 0000000C.00000003.2439818918.0000000005713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N1
Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\^
Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y{
Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tasksche.exe, 0000000C.00000002.2590376299.0000000005716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tasksche.exe, 0000000C.00000003.1976698073.0000000005716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}77
Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: tasksche.exe, 0000000C.00000002.2590376299.00000000056E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$7
Source: tasksche.exe, 0000000C.00000003.1778936718.00000000007FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G\|3c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}77
Source: tasksche.exe, 0000000C.00000002.2589335405.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\UUU
Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tasksche.exe, 0000000C.00000003.1777199303.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: tasksche.exe, 0000000C.00000003.1778350015.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}42??
Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: tasksche.exe, 0000000C.00000003.1778350015.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{55630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18xn
Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y,
Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tasksche.exe, 0000000C.00000002.2590376299.00000000056E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD0

Source: C:\Windows\tasksche.exe

API call chain: ExitProcess graph end node

graph_11-19228

Source: C:\Windows\tasksche.exe

Code function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

11_2_0041E6DE

Source: C:\Windows\tasksche.exe

Code function: 11_2_0040CEB6 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_0040CEB6

Source: C:\Windows\tasksche.exe	Code function: 11_2_004234CE SetUnhandledExceptionFilter,	11_2_004234CE
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0041E6DE
Source: C:\Windows\tasksche.exe	Code function: 11_2_0041FFDB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0041FFDB
Source: C:\Windows\tasksche.exe	Code function: 11_2_00423F89 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	11_2_00423F89

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1

Jump to behavior

Source: C:\Windows\tasksche.exe

Code function: 11_2_0040CA52 cpuid

11_2_0040CA52

Source: C:\Windows\tasksche.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		11_2_0040D155
Source: C:\Windows\tasksche.exe	Code function: GetLocaleInfoA,		11_2_00425EF0

Source: C:\Windows\tasksche.exe

Code function: 11_2_0040FEF0 OleInitialize,_memset,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,DeleteObject,DeleteObject,DeleteObject,CloseHandle,Sleep,OleUninitialize,

11_2_0040FEF0

Source: C:\Windows\tasksche.exe

Code function: 11_2_00409C06 GetVersionExW,

11_2_00409C06

Source: C:\Windows\tasksche.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Windows\tasksche.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	4 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	4 Windows Service	1 Software Packing	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 DLL Side-Loading	NTDS	1 Network Share Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
habHh1BC0L.dll	95%	Virustotal		Browse
habHh1BC0L.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
habHh1BC0L.dll	100%	Avira	TR/AD.DPulsarShellcode.uvbfu
habHh1BC0L.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/Rasftuby.cpsmo
C:\Windows\eee.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	87%	ReversingLabs	Win32.Trojan.Rasftuby
C:\Windows\eee.exe	12%	ReversingLabs
C:\Windows\tasksche.exe	87%	ReversingLabs	Win32.Trojan.Rasftuby

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comsf:	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5f	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e63794	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comq	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5fe8	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939b2	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=202	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0845-0884-8536-91f430fa231d	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e6379487	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5fe8	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939b2	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0845-0884-8536-91f430fa231d	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e6379487	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/l	mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939	mssecsvr.exe, 00000006.00000002.1374237333.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X	mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5f	mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/ll)	mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comsf:	mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e63794	mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	habHh1BC0L.dll	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/g	mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/$	mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comq	mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=202	mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2014176011.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0	mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2f	mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A	mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
75.17.203.1	unknown	United States	7018	ATT-INTERNET4US	false
45.247.224.1	unknown	Egypt	24863	LINKdotNET-ASEG	false
52.178.54.35	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
4.3.90.1	unknown	United States	3356	LEVEL3US	false
64.4.253.22	unknown	United States	11643	EBAYUS	false
4.3.90.2	unknown	United States	3356	LEVEL3US	false
102.101.193.1	unknown	Morocco	36925	ASMediMA	false
72.237.206.254	unknown	United States	25930	GENESIS-HEALTHCAREUS	false
169.10.57.65	unknown	United States	203	CENTURYLINK-LEGACY-LVLT-203US	false
85.167.36.1	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
4.3.90.171	unknown	United States	3356	LEVEL3US	false
87.157.193.1	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
71.168.64.61	unknown	United States	13672	FAIRPO-3US	false
143.130.7.200	unknown	Austria	1853	ACONETACOnetBackboneAT	false
169.10.57.1	unknown	United States	203	CENTURYLINK-LEGACY-LVLT-203US	false
3.72.157.1	unknown	United States	16509	AMAZON-02US	false
87.157.193.156	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591365
Start date and time:	2025-01-14 22:42:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	habHh1BC0L.dll renamed because original name is a hash value
Original Sample Name:	a34d8bd7493c5f8c2bf381a0267de463.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/3@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 76% Number of executed functions: 64 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:43:01	API Interceptor	1x Sleep call for process: loaddll32.exe modified
16:43:36	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	13.107.246.45
	hzQNazOx3Z.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	logitix.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	EFT_Payment_Notification_Gheenirrigation.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
77026.bodis.com	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	199.59.243.227
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	yrBA01LVo2.exe	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664	Get hash	malicious	Phisher	Browse	13.32.23.8
	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	172.142.199.1
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	75.63.94.202
	k6fBkyS1R6.dll	Get hash	malicious	Wannacry	Browse	12.213.51.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	12.85.167.44
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	13.32.27.22
	meth3.elf	Get hash	malicious	Mirai	Browse	13.183.171.175
	meth1.elf	Get hash	malicious	Mirai	Browse	99.160.219.59
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	99.158.47.182
	https://mercedesinsua.com.ar/?infox=Ymxha2Uuc2lyZ29AY290ZXJyYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.32.27.44
LINKdotNET-ASEG	meth10.elf	Get hash	malicious	Mirai	Browse	197.161.205.9
	meth8.elf	Get hash	malicious	Mirai	Browse	41.196.116.152
	meth1.elf	Get hash	malicious	Mirai	Browse	197.167.208.203
	x86.elf	Get hash	malicious	Unknown	Browse	41.131.9.180
	meth14.elf	Get hash	malicious	Mirai	Browse	197.163.51.123
	meth9.elf	Get hash	malicious	Mirai	Browse	41.196.116.132
	meth15.elf	Get hash	malicious	Mirai	Browse	197.165.32.53
	elitebotnet.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	197.163.92.69
	4.elf	Get hash	malicious	Unknown	Browse	197.166.117.68
	3.elf	Get hash	malicious	Unknown	Browse	45.243.134.201
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	20.49.104.18
	FjSrGs0AE2.dll	Get hash	malicious	Wannacry	Browse	22.184.197.1
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	13.103.137.252
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	52.252.59.4
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	21.20.144.1
	XML-702.msi	Get hash	malicious	AteraAgent	Browse	20.60.197.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	20.207.221.18
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	13.107.253.45
	EFT_Payment_Notification_Gheenirrigation.html	Get hash	malicious	HTMLPhisher	Browse	20.190.159.75
	MissedCall_Record_3295935663.html	Get hash	malicious	Unknown	Browse	13.69.116.109

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\eee.exe	IU28r0EZFA.dll	Get hash	malicious	Wannacry	Browse
	znV6O953KT.dll	Get hash	malicious	Wannacry	Browse
	goN6vVlV2F.dll	Get hash	malicious	Wannacry	Browse
	QbNF1cvpa0.dll	Get hash	malicious	Wannacry	Browse
	vGJZ7R5D9P.dll	Get hash	malicious	Wannacry	Browse
	vEbriCJic0.dll	Get hash	malicious	Wannacry	Browse
	48O5lgRp91.dll	Get hash	malicious	Wannacry	Browse
	PDAZE3eQB1.dll	Get hash	malicious	Wannacry	Browse
	rBsGH746YC.dll	Get hash	malicious	Wannacry	Browse
	dKkvbrzdUL.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.943301985754563
Encrypted:	false
SSDEEP:	49152:XEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhOvm:XyfBhz1aRxcSUDk36SAEdhGm
MD5:	CBB4BE2403D2BE4554AA9BE6B49A7B62
SHA1:	112D00C9FC32873F6186CCA9484CE67B7D9004EC
SHA-256:	5677D02E02429ED7EEF009420C5CDE3B246F37E2489D73FED257D79BF11AA35A
SHA-512:	9A55B3968BB1996B251B8BCE239ADAFE00D9F8B8D2E5CACC068A9638448CAC4A7F952481CB9944A1F8EE68373927EA35CCE6F8DFEEEB9F8CD4D8A90FE3B18112
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\eee.exe

Download File

Process:	C:\Windows\tasksche.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1981503
Entropy (8bit):	1.1514036614623402
Encrypted:	false
SSDEEP:	3072:Pm7CQNtZU+mWdyVsJM5MelfvtNdQU/2DRIYUoNv+byel0QWq:PsCwu+mWhJifvtNP/7YXYlW
MD5:	03880BEAD20960FEF3D46ADE3C83E1BD
SHA1:	62EECEF13F3125CF8E4212D4AD85AB45E091830D
SHA-256:	92B0BECA439DB25D7098379CEE580FA69F6F5E7271708BDEC03AB8FF526426D8
SHA-512:	8534E48D702AFB70A4537096AEC7EBB1E4C1A4CF14A44F7C1F7D8DF972742A5E0A49738124891843CF10E390379ECEEFC7882A0BE6AEA206A6583BC4B1194F9D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 12%
Joe Sandbox View:	Filename: IU28r0EZFA.dll, Detection: malicious, Browse Filename: znV6O953KT.dll, Detection: malicious, Browse Filename: goN6vVlV2F.dll, Detection: malicious, Browse Filename: QbNF1cvpa0.dll, Detection: malicious, Browse Filename: vGJZ7R5D9P.dll, Detection: malicious, Browse Filename: vEbriCJic0.dll, Detection: malicious, Browse Filename: 48O5lgRp91.dll, Detection: malicious, Browse Filename: PDAZE3eQB1.dll, Detection: malicious, Browse Filename: rBsGH746YC.dll, Detection: malicious, Browse Filename: dKkvbrzdUL.dll, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..`_Z.`_Z.`_Z...Z.`_Z...Z1`_Z...Z.`_Z.>\[.`_Z.>[[.`_Z.>Z[.`_Z...Z.`_Z...Z.`_Z.`^Z@`_Z->Z[.`_Z->_[.`_Z(>.Z.`_Z->][.`_ZRich.`_Z........PE..L......Y..........................................@.......................... ............@.........................@...4...t...(........:......................X...Pn..T...............................@...................... ....................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....F.......H..................@..@.reloc..X........ ..................@..B........................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.943301985754563
Encrypted:	false
SSDEEP:	49152:XEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhOvm:XyfBhz1aRxcSUDk36SAEdhGm
MD5:	CBB4BE2403D2BE4554AA9BE6B49A7B62
SHA1:	112D00C9FC32873F6186CCA9484CE67B7D9004EC
SHA-256:	5677D02E02429ED7EEF009420C5CDE3B246F37E2489D73FED257D79BF11AA35A
SHA-512:	9A55B3968BB1996B251B8BCE239ADAFE00D9F8B8D2E5CACC068A9638448CAC4A7F952481CB9944A1F8EE68373927EA35CCE6F8DFEEEB9F8CD4D8A90FE3B18112
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.263463032588948
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	habHh1BC0L.dll
File size:	5'267'459 bytes
MD5:	a34d8bd7493c5f8c2bf381a0267de463
SHA1:	19326be1a905a053f95cef69a630d30cb298bd5b
SHA256:	133e1d4c87a3728c2888997025565651e654f5af74c5428f822c9c058ec3b35e
SHA512:	647452c6bb769e1a928aba3af6140a63f210f14c3208b68ef05b94580c368f5fb865885ee8ce37bf3ae508687f1b2ec5c99e3364d9416a80eb15c11739dcd789
SSDEEP:	49152:RnpEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhOv:1pyfBhz1aRxcSUDk36SAEdhG
TLSH:	0136236530A8C074D103157044ABCB62F6B67C3A17BA694FBF904E7E2E63B66E714B42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F69B0BD6D5Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F69B0BD6D78h
cmp esi, 01h
je 00007F69B0BD6D57h
cmp esi, 02h
jne 00007F69B0BD6D74h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F69B0BD6D5Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F69B0BD6D5Eh
push edi
push esi
push ebx
call 00007F69B0BD6C6Ah
test eax, eax
jne 00007F69B0BD6D56h
xor eax, eax
jmp 00007F69B0BD6DA0h
push edi
push esi
push ebx
call 00007F69B0BD6B1Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F69B0BD6D5Eh
test eax, eax
jne 00007F69B0BD6D89h
push edi
push eax
push ebx
call 00007F69B0BD6C46h
test esi, esi
je 00007F69B0BD6D57h
cmp esi, 03h
jne 00007F69B0BD6D78h
push edi
push esi
push ebx
call 00007F69B0BD6C35h
test eax, eax
jne 00007F69B0BD6D55h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F69B0BD6D63h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F69B0BD6D5Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	857139210d3a62a8a1989f7d867b7782	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8180646896362305

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T22:42:59.628747+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.9	64051	1.1.1.1	53	UDP
2025-01-14T22:43:00.434570+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49727	103.224.212.215	80	TCP
2025-01-14T22:43:02.106468+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49740	103.224.212.215	80	TCP
2025-01-14T22:45:08.618751+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	52883	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 22:42:52.641781092 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 22:42:53.251257896 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 22:42:53.360632896 CET	49673	443	192.168.2.9	204.79.197.203
Jan 14, 2025 22:42:54.079406023 CET	49676	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:42:54.079607010 CET	49675	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:42:54.282613039 CET	49674	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:42:54.454288960 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 22:42:56.860528946 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 22:42:59.817001104 CET	49727	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:42:59.821856022 CET	80	49727	103.224.212.215	192.168.2.9
Jan 14, 2025 22:42:59.821923971 CET	49727	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:42:59.826843023 CET	49727	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:42:59.831608057 CET	80	49727	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:00.434376001 CET	80	49727	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:00.434524059 CET	80	49727	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:00.434570074 CET	49727	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:00.439075947 CET	49727	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:00.477268934 CET	49727	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:00.482059002 CET	80	49727	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:00.856102943 CET	49738	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:00.860913038 CET	80	49738	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:00.860980988 CET	49738	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:00.861591101 CET	49738	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:00.866339922 CET	80	49738	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:01.324824095 CET	80	49738	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:01.324837923 CET	80	49738	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:01.324899912 CET	49738	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:01.331487894 CET	49738	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:01.331520081 CET	49738	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:01.478303909 CET	49740	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:01.483114958 CET	80	49740	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:01.483176947 CET	49740	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:01.483303070 CET	49740	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:01.488024950 CET	80	49740	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:01.666387081 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 22:43:02.106354952 CET	80	49740	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.106467962 CET	49740	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.106508017 CET	80	49740	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.106558084 CET	49740	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.126575947 CET	49740	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.131720066 CET	80	49740	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.139364004 CET	49745	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.144207954 CET	80	49745	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:02.144332886 CET	49745	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.144985914 CET	49745	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.150867939 CET	80	49745	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:02.171926975 CET	49746	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.176731110 CET	80	49746	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.176798105 CET	49746	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.176923990 CET	49746	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.181663990 CET	80	49746	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.628145933 CET	80	49745	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:02.628165007 CET	80	49745	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:02.628218889 CET	49745	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.633975029 CET	49745	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.633986950 CET	49745	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.666172981 CET	49752	445	192.168.2.9	100.186.60.227
Jan 14, 2025 22:43:02.671065092 CET	445	49752	100.186.60.227	192.168.2.9
Jan 14, 2025 22:43:02.672039032 CET	49752	445	192.168.2.9	100.186.60.227
Jan 14, 2025 22:43:02.672070980 CET	49752	445	192.168.2.9	100.186.60.227
Jan 14, 2025 22:43:02.672458887 CET	49753	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.677000999 CET	445	49752	100.186.60.227	192.168.2.9
Jan 14, 2025 22:43:02.677248955 CET	445	49753	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:02.677316904 CET	49752	445	192.168.2.9	100.186.60.227
Jan 14, 2025 22:43:02.677417040 CET	49753	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.678474903 CET	49753	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.681837082 CET	49754	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.683352947 CET	445	49753	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:02.683598995 CET	49753	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.686674118 CET	445	49754	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:02.686769962 CET	49754	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.686825991 CET	49754	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:02.691584110 CET	445	49754	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:02.782998085 CET	80	49746	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.783235073 CET	80	49746	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.783308983 CET	49746	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.787194967 CET	49746	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:43:02.788650990 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.791944027 CET	80	49746	103.224.212.215	192.168.2.9
Jan 14, 2025 22:43:02.793440104 CET	80	49758	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:02.793541908 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.793771029 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:02.798494101 CET	80	49758	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:02.969923973 CET	49673	443	192.168.2.9	204.79.197.203
Jan 14, 2025 22:43:03.270257950 CET	80	49758	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:03.270272970 CET	80	49758	199.59.243.228	192.168.2.9
Jan 14, 2025 22:43:03.270344019 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:03.270344019 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:03.688637018 CET	49676	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:43:03.688663006 CET	49675	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:43:03.857814074 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:03.857851028 CET	49758	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:43:03.891789913 CET	49674	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:43:04.674668074 CET	49787	445	192.168.2.9	99.38.44.207
Jan 14, 2025 22:43:04.679474115 CET	445	49787	99.38.44.207	192.168.2.9
Jan 14, 2025 22:43:04.679546118 CET	49787	445	192.168.2.9	99.38.44.207
Jan 14, 2025 22:43:04.679661036 CET	49787	445	192.168.2.9	99.38.44.207
Jan 14, 2025 22:43:04.679917097 CET	49788	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.684473991 CET	445	49787	99.38.44.207	192.168.2.9
Jan 14, 2025 22:43:04.684530020 CET	49787	445	192.168.2.9	99.38.44.207
Jan 14, 2025 22:43:04.684822083 CET	445	49788	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:04.684887886 CET	49788	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.684927940 CET	49788	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.686151028 CET	49789	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.690067053 CET	445	49788	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:04.690129042 CET	49788	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.690912962 CET	445	49789	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:04.690972090 CET	49789	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.691026926 CET	49789	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:04.695827007 CET	445	49789	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:05.506189108 CET	443	49704	23.206.229.209	192.168.2.9
Jan 14, 2025 22:43:05.506416082 CET	49704	443	192.168.2.9	23.206.229.209
Jan 14, 2025 22:43:06.783495903 CET	49819	445	192.168.2.9	77.201.178.167
Jan 14, 2025 22:43:06.788352013 CET	445	49819	77.201.178.167	192.168.2.9
Jan 14, 2025 22:43:06.788492918 CET	49819	445	192.168.2.9	77.201.178.167
Jan 14, 2025 22:43:06.788655043 CET	49819	445	192.168.2.9	77.201.178.167
Jan 14, 2025 22:43:06.788856983 CET	49822	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.793487072 CET	445	49819	77.201.178.167	192.168.2.9
Jan 14, 2025 22:43:06.793637037 CET	445	49822	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:06.793711901 CET	49819	445	192.168.2.9	77.201.178.167
Jan 14, 2025 22:43:06.793791056 CET	49822	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.798433065 CET	49822	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.803255081 CET	445	49822	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:06.804539919 CET	49822	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.881956100 CET	49825	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.886831999 CET	445	49825	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:06.888557911 CET	49825	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.888617039 CET	49825	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:06.893405914 CET	445	49825	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:08.568846941 CET	445	49825	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:08.572571993 CET	49825	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:08.572674990 CET	49825	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:08.572761059 CET	49825	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:08.578599930 CET	445	49825	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:08.578638077 CET	445	49825	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:08.721543074 CET	49857	445	192.168.2.9	4.3.90.171
Jan 14, 2025 22:43:08.726600885 CET	445	49857	4.3.90.171	192.168.2.9
Jan 14, 2025 22:43:08.726757050 CET	49857	445	192.168.2.9	4.3.90.171
Jan 14, 2025 22:43:08.726799011 CET	49857	445	192.168.2.9	4.3.90.171
Jan 14, 2025 22:43:08.726988077 CET	49858	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.731838942 CET	445	49857	4.3.90.171	192.168.2.9
Jan 14, 2025 22:43:08.731863976 CET	445	49858	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:08.731918097 CET	49857	445	192.168.2.9	4.3.90.171
Jan 14, 2025 22:43:08.731982946 CET	49858	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.732060909 CET	49858	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.733367920 CET	49859	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.737088919 CET	445	49858	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:08.738188028 CET	445	49859	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:08.738276005 CET	49858	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.738333941 CET	49859	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.738415956 CET	49859	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:08.743192911 CET	445	49859	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:10.737222910 CET	49894	445	192.168.2.9	64.4.253.22
Jan 14, 2025 22:43:10.742340088 CET	445	49894	64.4.253.22	192.168.2.9
Jan 14, 2025 22:43:10.742558002 CET	49894	445	192.168.2.9	64.4.253.22
Jan 14, 2025 22:43:10.742631912 CET	49894	445	192.168.2.9	64.4.253.22
Jan 14, 2025 22:43:10.743571997 CET	49895	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.747670889 CET	445	49894	64.4.253.22	192.168.2.9
Jan 14, 2025 22:43:10.747827053 CET	49894	445	192.168.2.9	64.4.253.22
Jan 14, 2025 22:43:10.748456955 CET	445	49895	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:10.749021053 CET	49895	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.749021053 CET	49895	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.749989986 CET	49896	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.754025936 CET	445	49895	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:10.754112959 CET	49895	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.754834890 CET	445	49896	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:10.754903078 CET	49896	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.754951000 CET	49896	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:10.759804010 CET	445	49896	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:11.266896009 CET	49677	443	192.168.2.9	20.189.173.11
Jan 14, 2025 22:43:11.579943895 CET	49910	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:11.584861994 CET	445	49910	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:11.584968090 CET	49910	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:11.585027933 CET	49910	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:11.589842081 CET	445	49910	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:12.787688971 CET	49930	445	192.168.2.9	190.197.148.161
Jan 14, 2025 22:43:12.792495966 CET	445	49930	190.197.148.161	192.168.2.9
Jan 14, 2025 22:43:12.792619944 CET	49930	445	192.168.2.9	190.197.148.161
Jan 14, 2025 22:43:12.792619944 CET	49930	445	192.168.2.9	190.197.148.161
Jan 14, 2025 22:43:12.792860031 CET	49931	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.797533035 CET	445	49930	190.197.148.161	192.168.2.9
Jan 14, 2025 22:43:12.797620058 CET	49930	445	192.168.2.9	190.197.148.161
Jan 14, 2025 22:43:12.797625065 CET	445	49931	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:12.797710896 CET	49931	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.797710896 CET	49931	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.799066067 CET	49932	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.802974939 CET	445	49931	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:12.803076982 CET	49931	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.803940058 CET	445	49932	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:12.804011106 CET	49932	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.804064035 CET	49932	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:12.808854103 CET	445	49932	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:13.240267038 CET	445	49910	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:13.240348101 CET	49910	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:13.240401983 CET	49910	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:13.240469933 CET	49910	445	192.168.2.9	77.201.178.1
Jan 14, 2025 22:43:13.245166063 CET	445	49910	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:13.245234013 CET	445	49910	77.201.178.1	192.168.2.9
Jan 14, 2025 22:43:13.305433035 CET	49944	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.310343027 CET	445	49944	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:13.310437918 CET	49944	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.310517073 CET	49944	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.311645031 CET	49946	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.315768003 CET	445	49944	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:13.315821886 CET	49944	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.316412926 CET	445	49946	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:13.316477060 CET	49946	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.316526890 CET	49946	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:13.505593061 CET	445	49946	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:14.784012079 CET	49971	445	192.168.2.9	136.196.81.224
Jan 14, 2025 22:43:14.790194035 CET	445	49971	136.196.81.224	192.168.2.9
Jan 14, 2025 22:43:14.790275097 CET	49971	445	192.168.2.9	136.196.81.224
Jan 14, 2025 22:43:14.790326118 CET	49971	445	192.168.2.9	136.196.81.224
Jan 14, 2025 22:43:14.790570974 CET	49972	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.795334101 CET	445	49971	136.196.81.224	192.168.2.9
Jan 14, 2025 22:43:14.795345068 CET	445	49972	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:14.795406103 CET	49971	445	192.168.2.9	136.196.81.224
Jan 14, 2025 22:43:14.795414925 CET	49972	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.795478106 CET	49972	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.795768976 CET	49973	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.800477028 CET	445	49972	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:14.800535917 CET	49972	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.800708055 CET	445	49973	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:14.800762892 CET	49973	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.800818920 CET	49973	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:14.805569887 CET	445	49973	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:16.799298048 CET	50003	445	192.168.2.9	143.113.52.182
Jan 14, 2025 22:43:16.804202080 CET	445	50003	143.113.52.182	192.168.2.9
Jan 14, 2025 22:43:16.804267883 CET	50003	445	192.168.2.9	143.113.52.182
Jan 14, 2025 22:43:16.804356098 CET	50003	445	192.168.2.9	143.113.52.182
Jan 14, 2025 22:43:16.804558039 CET	50004	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.809341908 CET	445	50003	143.113.52.182	192.168.2.9
Jan 14, 2025 22:43:16.809353113 CET	445	50004	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:16.809391975 CET	50003	445	192.168.2.9	143.113.52.182
Jan 14, 2025 22:43:16.809426069 CET	50004	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.809519053 CET	50004	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.809887886 CET	50005	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.814332962 CET	445	50004	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:16.814526081 CET	445	50004	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:16.814562082 CET	50004	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.814647913 CET	445	50005	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:16.814693928 CET	50005	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.814727068 CET	50005	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:16.819438934 CET	445	50005	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:17.359000921 CET	52262	53	192.168.2.9	1.1.1.1
Jan 14, 2025 22:43:17.364404917 CET	53	52262	1.1.1.1	192.168.2.9
Jan 14, 2025 22:43:17.364476919 CET	52262	53	192.168.2.9	1.1.1.1
Jan 14, 2025 22:43:17.369286060 CET	53	52262	1.1.1.1	192.168.2.9
Jan 14, 2025 22:43:17.838731050 CET	52262	53	192.168.2.9	1.1.1.1
Jan 14, 2025 22:43:17.843687057 CET	53	52262	1.1.1.1	192.168.2.9
Jan 14, 2025 22:43:17.843765020 CET	52262	53	192.168.2.9	1.1.1.1
Jan 14, 2025 22:43:18.833586931 CET	52290	445	192.168.2.9	181.221.235.219
Jan 14, 2025 22:43:18.838532925 CET	445	52290	181.221.235.219	192.168.2.9
Jan 14, 2025 22:43:18.840543985 CET	52290	445	192.168.2.9	181.221.235.219
Jan 14, 2025 22:43:18.842094898 CET	52290	445	192.168.2.9	181.221.235.219
Jan 14, 2025 22:43:18.842328072 CET	52291	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.846853971 CET	445	52290	181.221.235.219	192.168.2.9
Jan 14, 2025 22:43:18.846926928 CET	52290	445	192.168.2.9	181.221.235.219
Jan 14, 2025 22:43:18.847103119 CET	445	52291	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:18.847176075 CET	52291	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.850756884 CET	52291	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.855309963 CET	52292	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.855557919 CET	445	52291	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:18.855628014 CET	52291	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.860069036 CET	445	52292	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:18.862993002 CET	52292	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.873769999 CET	52292	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:18.878634930 CET	445	52292	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:20.830002069 CET	52324	445	192.168.2.9	52.178.54.35
Jan 14, 2025 22:43:20.834882021 CET	445	52324	52.178.54.35	192.168.2.9
Jan 14, 2025 22:43:20.835047960 CET	52324	445	192.168.2.9	52.178.54.35
Jan 14, 2025 22:43:20.835109949 CET	52324	445	192.168.2.9	52.178.54.35
Jan 14, 2025 22:43:20.835479021 CET	52325	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.840028048 CET	445	52324	52.178.54.35	192.168.2.9
Jan 14, 2025 22:43:20.840097904 CET	52324	445	192.168.2.9	52.178.54.35
Jan 14, 2025 22:43:20.840248108 CET	445	52325	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:20.840367079 CET	52325	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.840367079 CET	52325	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.840848923 CET	52326	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.845602036 CET	445	52325	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:20.845649004 CET	445	52326	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:20.845671892 CET	52325	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.845740080 CET	52326	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.845798016 CET	52326	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:20.850595951 CET	445	52326	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:22.845999002 CET	52361	445	192.168.2.9	181.105.239.130
Jan 14, 2025 22:43:22.850980043 CET	445	52361	181.105.239.130	192.168.2.9
Jan 14, 2025 22:43:22.851155043 CET	52361	445	192.168.2.9	181.105.239.130
Jan 14, 2025 22:43:22.851155043 CET	52361	445	192.168.2.9	181.105.239.130
Jan 14, 2025 22:43:22.851285934 CET	52362	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.856158972 CET	445	52361	181.105.239.130	192.168.2.9
Jan 14, 2025 22:43:22.856184006 CET	445	52362	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:22.856297970 CET	52362	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.856301069 CET	52361	445	192.168.2.9	181.105.239.130
Jan 14, 2025 22:43:22.856398106 CET	52362	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.856755018 CET	52363	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.861428022 CET	445	52362	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:22.861567974 CET	445	52363	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:22.861618042 CET	52362	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.861787081 CET	52363	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.861787081 CET	52363	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:22.866652012 CET	445	52363	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:24.073685884 CET	445	49754	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:24.073769093 CET	49754	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:24.073821068 CET	49754	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:24.073895931 CET	49754	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:24.078532934 CET	445	49754	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:24.078640938 CET	445	49754	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:24.882813931 CET	52396	445	192.168.2.9	201.15.39.106
Jan 14, 2025 22:43:24.887626886 CET	445	52396	201.15.39.106	192.168.2.9
Jan 14, 2025 22:43:24.887686014 CET	52396	445	192.168.2.9	201.15.39.106
Jan 14, 2025 22:43:24.887844086 CET	52396	445	192.168.2.9	201.15.39.106
Jan 14, 2025 22:43:24.887979984 CET	52398	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.892626047 CET	445	52396	201.15.39.106	192.168.2.9
Jan 14, 2025 22:43:24.892683029 CET	52396	445	192.168.2.9	201.15.39.106
Jan 14, 2025 22:43:24.892726898 CET	445	52398	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:24.892784119 CET	52398	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.892851114 CET	52398	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.893086910 CET	52399	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.897656918 CET	445	52398	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:24.897725105 CET	52398	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.897876024 CET	445	52399	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:24.897965908 CET	52399	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.897998095 CET	52399	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:24.902753115 CET	445	52399	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:26.055751085 CET	445	49789	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:26.055861950 CET	49789	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:26.055911064 CET	49789	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:26.055980921 CET	49789	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:26.060810089 CET	445	49789	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:26.060843945 CET	445	49789	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:26.892510891 CET	52431	445	192.168.2.9	85.167.36.211
Jan 14, 2025 22:43:26.897470951 CET	445	52431	85.167.36.211	192.168.2.9
Jan 14, 2025 22:43:26.897574902 CET	52431	445	192.168.2.9	85.167.36.211
Jan 14, 2025 22:43:26.897623062 CET	52431	445	192.168.2.9	85.167.36.211
Jan 14, 2025 22:43:26.899336100 CET	52432	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.902689934 CET	445	52431	85.167.36.211	192.168.2.9
Jan 14, 2025 22:43:26.902785063 CET	52431	445	192.168.2.9	85.167.36.211
Jan 14, 2025 22:43:26.904165983 CET	445	52432	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:26.904299021 CET	52432	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.904386044 CET	52432	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.904827118 CET	52433	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.909311056 CET	445	52432	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:26.909447908 CET	52432	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.909674883 CET	445	52433	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:26.909746885 CET	52433	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.909770012 CET	52433	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:26.914721012 CET	445	52433	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:27.080183983 CET	52437	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:27.084918022 CET	445	52437	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:27.084983110 CET	52437	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:27.085031986 CET	52437	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:27.089914083 CET	445	52437	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:28.909504890 CET	52459	445	192.168.2.9	45.247.224.71
Jan 14, 2025 22:43:28.915468931 CET	445	52459	45.247.224.71	192.168.2.9
Jan 14, 2025 22:43:28.915803909 CET	52459	445	192.168.2.9	45.247.224.71
Jan 14, 2025 22:43:28.915803909 CET	52459	445	192.168.2.9	45.247.224.71
Jan 14, 2025 22:43:28.915930033 CET	52460	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.921888113 CET	445	52460	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:28.921998024 CET	52460	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.922044992 CET	52460	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.922362089 CET	445	52459	45.247.224.71	192.168.2.9
Jan 14, 2025 22:43:28.922508955 CET	52461	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.922529936 CET	52459	445	192.168.2.9	45.247.224.71
Jan 14, 2025 22:43:28.928205013 CET	445	52460	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:28.928323984 CET	52460	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.928359032 CET	445	52461	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:28.928451061 CET	52461	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.928524971 CET	52461	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:28.934360981 CET	445	52461	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:29.064230919 CET	52463	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:29.069432974 CET	445	52463	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:29.069514036 CET	52463	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:29.069559097 CET	52463	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:29.075615883 CET	445	52463	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:30.118551016 CET	445	49859	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:30.118676901 CET	49859	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:30.118752003 CET	49859	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:30.118837118 CET	49859	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:30.123569012 CET	445	49859	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:30.123583078 CET	445	49859	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:30.967205048 CET	52474	445	192.168.2.9	102.101.193.11
Jan 14, 2025 22:43:30.972016096 CET	445	52474	102.101.193.11	192.168.2.9
Jan 14, 2025 22:43:30.972110987 CET	52474	445	192.168.2.9	102.101.193.11
Jan 14, 2025 22:43:30.975611925 CET	52474	445	192.168.2.9	102.101.193.11
Jan 14, 2025 22:43:30.980417967 CET	445	52474	102.101.193.11	192.168.2.9
Jan 14, 2025 22:43:30.980488062 CET	52474	445	192.168.2.9	102.101.193.11
Jan 14, 2025 22:43:30.987210035 CET	52475	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:30.992014885 CET	445	52475	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:30.992085934 CET	52475	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:30.993222952 CET	52475	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:30.997999907 CET	445	52475	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:30.998043060 CET	52476	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:30.998049021 CET	52475	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:31.002787113 CET	445	52476	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:31.003077984 CET	52476	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:31.004101992 CET	52476	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:31.008833885 CET	445	52476	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:32.132339954 CET	445	49896	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:32.132405996 CET	49896	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:32.132448912 CET	49896	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:32.132519007 CET	49896	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:32.137252092 CET	445	49896	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:32.137280941 CET	445	49896	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:33.126657963 CET	52487	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:33.131632090 CET	445	52487	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:33.131712914 CET	52487	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:33.131786108 CET	52487	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:33.136548996 CET	445	52487	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:34.124233961 CET	52494	445	192.168.2.9	144.109.189.166
Jan 14, 2025 22:43:34.129908085 CET	445	52494	144.109.189.166	192.168.2.9
Jan 14, 2025 22:43:34.129992008 CET	52494	445	192.168.2.9	144.109.189.166
Jan 14, 2025 22:43:34.133701086 CET	52494	445	192.168.2.9	144.109.189.166
Jan 14, 2025 22:43:34.133917093 CET	52495	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.138752937 CET	445	52495	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:34.138814926 CET	52495	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.138930082 CET	52495	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.139071941 CET	445	52494	144.109.189.166	192.168.2.9
Jan 14, 2025 22:43:34.139123917 CET	52494	445	192.168.2.9	144.109.189.166
Jan 14, 2025 22:43:34.139904022 CET	52496	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.144403934 CET	445	52495	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:34.144460917 CET	52495	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.145126104 CET	445	52496	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:34.145191908 CET	52496	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.150074959 CET	52496	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:34.155520916 CET	445	52496	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:34.196585894 CET	445	49932	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:34.196661949 CET	49932	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:34.248883009 CET	49932	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:34.249041080 CET	49932	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:34.253650904 CET	445	49932	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:34.253762007 CET	445	49932	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:34.883068085 CET	445	49946	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:34.883348942 CET	49946	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:34.883415937 CET	49946	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:34.883758068 CET	49946	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:34.889261007 CET	445	49946	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:34.889271021 CET	445	49946	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:34.986485958 CET	52502	445	192.168.2.9	76.118.156.168
Jan 14, 2025 22:43:34.991846085 CET	445	52502	76.118.156.168	192.168.2.9
Jan 14, 2025 22:43:34.992017984 CET	52502	445	192.168.2.9	76.118.156.168
Jan 14, 2025 22:43:34.992043018 CET	52502	445	192.168.2.9	76.118.156.168
Jan 14, 2025 22:43:34.992280960 CET	52503	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:34.998214960 CET	445	52503	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:34.998322964 CET	52503	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:34.998356104 CET	52503	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:34.998857975 CET	445	52502	76.118.156.168	192.168.2.9
Jan 14, 2025 22:43:34.998923063 CET	52502	445	192.168.2.9	76.118.156.168
Jan 14, 2025 22:43:34.998992920 CET	52504	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:35.004951954 CET	445	52503	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:35.004981995 CET	445	52504	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:35.005021095 CET	52503	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:35.005110025 CET	52504	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:35.005186081 CET	52504	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:35.010277987 CET	445	52504	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:35.142091990 CET	52507	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:35.147152901 CET	445	52507	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:35.147253990 CET	52507	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:35.147344112 CET	52507	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:35.152187109 CET	445	52507	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:36.163599968 CET	445	49973	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:36.163721085 CET	49973	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:36.163789988 CET	49973	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:36.163867950 CET	49973	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:36.168612957 CET	445	49973	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:36.168654919 CET	445	49973	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:37.023247004 CET	52517	445	192.168.2.9	48.189.89.156
Jan 14, 2025 22:43:37.028053045 CET	445	52517	48.189.89.156	192.168.2.9
Jan 14, 2025 22:43:37.028119087 CET	52517	445	192.168.2.9	48.189.89.156
Jan 14, 2025 22:43:37.028222084 CET	52517	445	192.168.2.9	48.189.89.156
Jan 14, 2025 22:43:37.028382063 CET	52520	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.033092976 CET	445	52517	48.189.89.156	192.168.2.9
Jan 14, 2025 22:43:37.033150911 CET	52517	445	192.168.2.9	48.189.89.156
Jan 14, 2025 22:43:37.033229113 CET	445	52520	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:37.033284903 CET	52520	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.033382893 CET	52520	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.033715963 CET	52521	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.038314104 CET	445	52520	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:37.038535118 CET	445	52521	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:37.038599968 CET	52521	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.038609028 CET	445	52520	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:37.038635015 CET	52521	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.038657904 CET	52520	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:37.043411016 CET	445	52521	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:37.254297972 CET	52523	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:37.259537935 CET	445	52523	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:37.259630919 CET	52523	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:37.260961056 CET	52523	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:37.265948057 CET	445	52523	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:37.892751932 CET	52527	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:37.897571087 CET	445	52527	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:37.897650957 CET	52527	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:37.897720098 CET	52527	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:37.902512074 CET	445	52527	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:38.163578033 CET	445	50005	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:38.163676023 CET	50005	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:38.163727045 CET	50005	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:38.163774014 CET	50005	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:38.168601990 CET	445	50005	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:38.168612003 CET	445	50005	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:38.892664909 CET	52533	445	192.168.2.9	150.120.191.64
Jan 14, 2025 22:43:38.897630930 CET	445	52533	150.120.191.64	192.168.2.9
Jan 14, 2025 22:43:38.897824049 CET	52533	445	192.168.2.9	150.120.191.64
Jan 14, 2025 22:43:38.897824049 CET	52533	445	192.168.2.9	150.120.191.64
Jan 14, 2025 22:43:38.897886038 CET	52534	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.902698994 CET	445	52534	150.120.191.1	192.168.2.9
Jan 14, 2025 22:43:38.902766943 CET	52534	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.902870893 CET	445	52533	150.120.191.64	192.168.2.9
Jan 14, 2025 22:43:38.902913094 CET	52534	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.902916908 CET	52533	445	192.168.2.9	150.120.191.64
Jan 14, 2025 22:43:38.903121948 CET	52535	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.907738924 CET	445	52534	150.120.191.1	192.168.2.9
Jan 14, 2025 22:43:38.907814026 CET	52534	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.907964945 CET	445	52535	150.120.191.1	192.168.2.9
Jan 14, 2025 22:43:38.908027887 CET	52535	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.908068895 CET	52535	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:43:38.912923098 CET	445	52535	150.120.191.1	192.168.2.9
Jan 14, 2025 22:43:39.173230886 CET	52537	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:39.178107977 CET	445	52537	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:39.178184032 CET	52537	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:39.178224087 CET	52537	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:43:39.182988882 CET	445	52537	136.196.81.1	192.168.2.9
Jan 14, 2025 22:43:40.243031979 CET	445	52292	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:40.243093967 CET	52292	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:40.243151903 CET	52292	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:40.243191957 CET	52292	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:40.249392033 CET	445	52292	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:40.249407053 CET	445	52292	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:40.642556906 CET	52547	445	192.168.2.9	69.246.167.241
Jan 14, 2025 22:43:40.647512913 CET	445	52547	69.246.167.241	192.168.2.9
Jan 14, 2025 22:43:40.647636890 CET	52547	445	192.168.2.9	69.246.167.241
Jan 14, 2025 22:43:40.647680044 CET	52547	445	192.168.2.9	69.246.167.241
Jan 14, 2025 22:43:40.647932053 CET	52548	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.652746916 CET	445	52547	69.246.167.241	192.168.2.9
Jan 14, 2025 22:43:40.652777910 CET	445	52548	69.246.167.1	192.168.2.9
Jan 14, 2025 22:43:40.652812004 CET	52547	445	192.168.2.9	69.246.167.241
Jan 14, 2025 22:43:40.652846098 CET	52548	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.652895927 CET	52548	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.653328896 CET	52549	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.657830954 CET	445	52548	69.246.167.1	192.168.2.9
Jan 14, 2025 22:43:40.657881975 CET	52548	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.658121109 CET	445	52549	69.246.167.1	192.168.2.9
Jan 14, 2025 22:43:40.658171892 CET	52549	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.658212900 CET	52549	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:43:40.663008928 CET	445	52549	69.246.167.1	192.168.2.9
Jan 14, 2025 22:43:41.173300028 CET	52554	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:41.178181887 CET	445	52554	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:41.178292990 CET	52554	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:41.178338051 CET	52554	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:43:41.184104919 CET	445	52554	143.113.52.1	192.168.2.9
Jan 14, 2025 22:43:42.228141069 CET	445	52326	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:42.228239059 CET	52326	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:42.228293896 CET	52326	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:42.228346109 CET	52326	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:42.233058929 CET	445	52326	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:42.233088017 CET	445	52326	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:42.283512115 CET	52557	445	192.168.2.9	169.10.57.65
Jan 14, 2025 22:43:42.288444042 CET	445	52557	169.10.57.65	192.168.2.9
Jan 14, 2025 22:43:42.288558006 CET	52557	445	192.168.2.9	169.10.57.65
Jan 14, 2025 22:43:42.288639069 CET	52557	445	192.168.2.9	169.10.57.65
Jan 14, 2025 22:43:42.288774014 CET	52558	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.293570995 CET	445	52558	169.10.57.1	192.168.2.9
Jan 14, 2025 22:43:42.293606043 CET	445	52557	169.10.57.65	192.168.2.9
Jan 14, 2025 22:43:42.293665886 CET	52558	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.293708086 CET	52557	445	192.168.2.9	169.10.57.65
Jan 14, 2025 22:43:42.293787956 CET	52558	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.294095039 CET	52559	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.300282955 CET	445	52558	169.10.57.1	192.168.2.9
Jan 14, 2025 22:43:42.300299883 CET	445	52559	169.10.57.1	192.168.2.9
Jan 14, 2025 22:43:42.300347090 CET	52558	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.300405979 CET	52559	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.300463915 CET	52559	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:43:42.305250883 CET	445	52559	169.10.57.1	192.168.2.9
Jan 14, 2025 22:43:43.253669977 CET	52560	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:43.258539915 CET	445	52560	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:43.258619070 CET	52560	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:43.258668900 CET	52560	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:43:43.263446093 CET	445	52560	181.221.235.1	192.168.2.9
Jan 14, 2025 22:43:43.814836979 CET	52561	445	192.168.2.9	143.130.7.200
Jan 14, 2025 22:43:43.819911003 CET	445	52561	143.130.7.200	192.168.2.9
Jan 14, 2025 22:43:43.820044994 CET	52561	445	192.168.2.9	143.130.7.200
Jan 14, 2025 22:43:43.820096970 CET	52561	445	192.168.2.9	143.130.7.200
Jan 14, 2025 22:43:43.820326090 CET	52562	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.825377941 CET	445	52562	143.130.7.1	192.168.2.9
Jan 14, 2025 22:43:43.825392962 CET	445	52561	143.130.7.200	192.168.2.9
Jan 14, 2025 22:43:43.825472116 CET	52561	445	192.168.2.9	143.130.7.200
Jan 14, 2025 22:43:43.825660944 CET	52562	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.825660944 CET	52562	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.826164007 CET	52563	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.830727100 CET	445	52562	143.130.7.1	192.168.2.9
Jan 14, 2025 22:43:43.830790997 CET	52562	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.830984116 CET	445	52563	143.130.7.1	192.168.2.9
Jan 14, 2025 22:43:43.831052065 CET	52563	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.831084967 CET	52563	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:43:43.835882902 CET	445	52563	143.130.7.1	192.168.2.9
Jan 14, 2025 22:43:44.210700035 CET	445	52363	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:44.210819006 CET	52363	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:44.211066008 CET	52363	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:44.211066008 CET	52363	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:44.215859890 CET	445	52363	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:44.215924978 CET	445	52363	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:45.236666918 CET	52564	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:45.239442110 CET	52565	445	192.168.2.9	194.135.85.58
Jan 14, 2025 22:43:45.251837015 CET	445	52564	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:45.251852036 CET	445	52565	194.135.85.58	192.168.2.9
Jan 14, 2025 22:43:45.251935005 CET	52564	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:45.252232075 CET	52564	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:43:45.252235889 CET	52565	445	192.168.2.9	194.135.85.58
Jan 14, 2025 22:43:45.252350092 CET	52565	445	192.168.2.9	194.135.85.58
Jan 14, 2025 22:43:45.252562046 CET	52566	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.256963968 CET	445	52564	52.178.54.1	192.168.2.9
Jan 14, 2025 22:43:45.257379055 CET	445	52566	194.135.85.1	192.168.2.9
Jan 14, 2025 22:43:45.257464886 CET	52566	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.257620096 CET	52566	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.258250952 CET	52567	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.258306026 CET	445	52565	194.135.85.58	192.168.2.9
Jan 14, 2025 22:43:45.259479046 CET	445	52565	194.135.85.58	192.168.2.9
Jan 14, 2025 22:43:45.259552002 CET	52565	445	192.168.2.9	194.135.85.58
Jan 14, 2025 22:43:45.262583017 CET	445	52566	194.135.85.1	192.168.2.9
Jan 14, 2025 22:43:45.262660027 CET	52566	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.263144970 CET	445	52567	194.135.85.1	192.168.2.9
Jan 14, 2025 22:43:45.263236046 CET	52567	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.263308048 CET	52567	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:43:45.268119097 CET	445	52567	194.135.85.1	192.168.2.9
Jan 14, 2025 22:43:46.276873112 CET	445	52399	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:46.277142048 CET	52399	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:46.277324915 CET	52399	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:46.277503967 CET	52399	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:46.282071114 CET	445	52399	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:46.282222033 CET	445	52399	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:46.565010071 CET	52568	445	192.168.2.9	87.157.193.156
Jan 14, 2025 22:43:46.569904089 CET	445	52568	87.157.193.156	192.168.2.9
Jan 14, 2025 22:43:46.570121050 CET	52568	445	192.168.2.9	87.157.193.156
Jan 14, 2025 22:43:46.570121050 CET	52568	445	192.168.2.9	87.157.193.156
Jan 14, 2025 22:43:46.570275068 CET	52569	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.575077057 CET	445	52569	87.157.193.1	192.168.2.9
Jan 14, 2025 22:43:46.575145960 CET	52569	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.575181007 CET	52569	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.575349092 CET	445	52568	87.157.193.156	192.168.2.9
Jan 14, 2025 22:43:46.575407028 CET	52568	445	192.168.2.9	87.157.193.156
Jan 14, 2025 22:43:46.575520039 CET	52570	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.580066919 CET	445	52569	87.157.193.1	192.168.2.9
Jan 14, 2025 22:43:46.580126047 CET	52569	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.580321074 CET	445	52570	87.157.193.1	192.168.2.9
Jan 14, 2025 22:43:46.580383062 CET	52570	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.580429077 CET	52570	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:43:46.585150957 CET	445	52570	87.157.193.1	192.168.2.9
Jan 14, 2025 22:43:47.220336914 CET	52571	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:47.225167990 CET	445	52571	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:47.225364923 CET	52571	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:47.225364923 CET	52571	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:43:47.230195045 CET	445	52571	181.105.239.1	192.168.2.9
Jan 14, 2025 22:43:47.814244032 CET	52572	445	192.168.2.9	115.211.37.229
Jan 14, 2025 22:43:47.819144964 CET	445	52572	115.211.37.229	192.168.2.9
Jan 14, 2025 22:43:47.819236040 CET	52572	445	192.168.2.9	115.211.37.229
Jan 14, 2025 22:43:47.819375992 CET	52572	445	192.168.2.9	115.211.37.229
Jan 14, 2025 22:43:47.819761992 CET	52573	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.824305058 CET	445	52572	115.211.37.229	192.168.2.9
Jan 14, 2025 22:43:47.824381113 CET	52572	445	192.168.2.9	115.211.37.229
Jan 14, 2025 22:43:47.824655056 CET	445	52573	115.211.37.1	192.168.2.9
Jan 14, 2025 22:43:47.824835062 CET	52573	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.824879885 CET	52573	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.825401068 CET	52574	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.829794884 CET	445	52573	115.211.37.1	192.168.2.9
Jan 14, 2025 22:43:47.829860926 CET	52573	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.830286026 CET	445	52574	115.211.37.1	192.168.2.9
Jan 14, 2025 22:43:47.830354929 CET	52574	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.830388069 CET	52574	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:43:47.835140944 CET	445	52574	115.211.37.1	192.168.2.9
Jan 14, 2025 22:43:48.292926073 CET	445	52433	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:48.293005943 CET	52433	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:48.293308020 CET	52433	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:48.293359995 CET	52433	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:48.298372984 CET	445	52433	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:48.298412085 CET	445	52433	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:48.450774908 CET	445	52437	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:48.450845003 CET	52437	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:48.450881958 CET	52437	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:48.450947046 CET	52437	445	192.168.2.9	100.186.60.1
Jan 14, 2025 22:43:48.455785990 CET	445	52437	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:48.455817938 CET	445	52437	100.186.60.1	192.168.2.9
Jan 14, 2025 22:43:48.884540081 CET	52575	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:48.889487982 CET	445	52575	100.186.60.2	192.168.2.9
Jan 14, 2025 22:43:48.889580011 CET	52575	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:48.889673948 CET	52575	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:48.895085096 CET	445	52575	100.186.60.2	192.168.2.9
Jan 14, 2025 22:43:48.895138979 CET	52575	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:49.210393906 CET	52576	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:49.215205908 CET	445	52576	100.186.60.2	192.168.2.9
Jan 14, 2025 22:43:49.215275049 CET	52576	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:49.215358019 CET	52576	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:43:49.220134974 CET	445	52576	100.186.60.2	192.168.2.9
Jan 14, 2025 22:43:49.282638073 CET	52577	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:49.287647963 CET	445	52577	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:49.287734032 CET	52577	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:49.287775993 CET	52577	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:43:49.292588949 CET	445	52577	201.15.39.1	192.168.2.9
Jan 14, 2025 22:43:49.337863922 CET	52578	445	192.168.2.9	3.72.157.164
Jan 14, 2025 22:43:49.342833996 CET	445	52578	3.72.157.164	192.168.2.9
Jan 14, 2025 22:43:49.342966080 CET	52578	445	192.168.2.9	3.72.157.164
Jan 14, 2025 22:43:49.343142033 CET	52578	445	192.168.2.9	3.72.157.164
Jan 14, 2025 22:43:49.343143940 CET	52579	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.348108053 CET	445	52578	3.72.157.164	192.168.2.9
Jan 14, 2025 22:43:49.348140955 CET	445	52579	3.72.157.1	192.168.2.9
Jan 14, 2025 22:43:49.348181009 CET	52578	445	192.168.2.9	3.72.157.164
Jan 14, 2025 22:43:49.348221064 CET	52579	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.348287106 CET	52579	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.353214979 CET	445	52579	3.72.157.1	192.168.2.9
Jan 14, 2025 22:43:49.353348970 CET	52579	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.369457006 CET	52580	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.374414921 CET	445	52580	3.72.157.1	192.168.2.9
Jan 14, 2025 22:43:49.374514103 CET	52580	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.374567032 CET	52580	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:43:49.379369974 CET	445	52580	3.72.157.1	192.168.2.9
Jan 14, 2025 22:43:50.300312042 CET	52581	445	192.168.2.9	169.191.254.175
Jan 14, 2025 22:43:50.305227041 CET	445	52581	169.191.254.175	192.168.2.9
Jan 14, 2025 22:43:50.305388927 CET	52581	445	192.168.2.9	169.191.254.175
Jan 14, 2025 22:43:50.305452108 CET	52581	445	192.168.2.9	169.191.254.175
Jan 14, 2025 22:43:50.305756092 CET	52582	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.310298920 CET	445	52581	169.191.254.175	192.168.2.9
Jan 14, 2025 22:43:50.310373068 CET	445	52581	169.191.254.175	192.168.2.9
Jan 14, 2025 22:43:50.310461998 CET	52581	445	192.168.2.9	169.191.254.175
Jan 14, 2025 22:43:50.310592890 CET	445	52582	169.191.254.1	192.168.2.9
Jan 14, 2025 22:43:50.310806036 CET	52582	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.310892105 CET	52582	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.311991930 CET	52583	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.315923929 CET	445	52582	169.191.254.1	192.168.2.9
Jan 14, 2025 22:43:50.316046953 CET	52582	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.316859961 CET	445	52583	169.191.254.1	192.168.2.9
Jan 14, 2025 22:43:50.316983938 CET	52583	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.317059994 CET	52583	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:43:50.321914911 CET	445	52583	169.191.254.1	192.168.2.9
Jan 14, 2025 22:43:50.323862076 CET	445	52461	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:50.323981047 CET	52461	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:50.324058056 CET	52461	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:50.324166059 CET	52461	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:50.328946114 CET	445	52461	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:50.328974962 CET	445	52461	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:50.429554939 CET	445	52463	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:50.429680109 CET	52463	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:50.432742119 CET	52463	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:50.432742119 CET	52463	445	192.168.2.9	99.38.44.1
Jan 14, 2025 22:43:50.437660933 CET	445	52463	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:50.437693119 CET	445	52463	99.38.44.1	192.168.2.9
Jan 14, 2025 22:43:50.485888958 CET	52584	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.491394043 CET	445	52584	99.38.44.2	192.168.2.9
Jan 14, 2025 22:43:50.491544008 CET	52584	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.491637945 CET	52584	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.492393017 CET	52585	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.497699022 CET	445	52584	99.38.44.2	192.168.2.9
Jan 14, 2025 22:43:50.497796059 CET	52584	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.498209953 CET	445	52585	99.38.44.2	192.168.2.9
Jan 14, 2025 22:43:50.498334885 CET	52585	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.498402119 CET	52585	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:43:50.504321098 CET	445	52585	99.38.44.2	192.168.2.9
Jan 14, 2025 22:43:51.142044067 CET	49705	80	192.168.2.9	199.232.214.172
Jan 14, 2025 22:43:51.147182941 CET	80	49705	199.232.214.172	192.168.2.9
Jan 14, 2025 22:43:51.147427082 CET	49705	80	192.168.2.9	199.232.214.172
Jan 14, 2025 22:43:51.298324108 CET	52586	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:51.303299904 CET	445	52586	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:51.303426981 CET	52586	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:51.303570986 CET	52586	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:43:51.308386087 CET	445	52586	85.167.36.1	192.168.2.9
Jan 14, 2025 22:43:51.314816952 CET	52587	445	192.168.2.9	210.166.219.171
Jan 14, 2025 22:43:51.319669008 CET	445	52587	210.166.219.171	192.168.2.9
Jan 14, 2025 22:43:51.319756031 CET	52587	445	192.168.2.9	210.166.219.171
Jan 14, 2025 22:43:51.319848061 CET	52587	445	192.168.2.9	210.166.219.171
Jan 14, 2025 22:43:51.319947958 CET	52588	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.324882030 CET	445	52588	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:51.324913979 CET	445	52587	210.166.219.171	192.168.2.9
Jan 14, 2025 22:43:51.324990034 CET	52588	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.325022936 CET	52587	445	192.168.2.9	210.166.219.171
Jan 14, 2025 22:43:51.325133085 CET	52588	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.325748920 CET	52589	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.330084085 CET	445	52588	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:51.330156088 CET	52588	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.330657959 CET	445	52589	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:51.330784082 CET	52589	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.330821991 CET	52589	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:51.335608006 CET	445	52589	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:52.252266884 CET	52590	445	192.168.2.9	75.17.203.131
Jan 14, 2025 22:43:52.257199049 CET	445	52590	75.17.203.131	192.168.2.9
Jan 14, 2025 22:43:52.257280111 CET	52590	445	192.168.2.9	75.17.203.131
Jan 14, 2025 22:43:52.257455111 CET	52590	445	192.168.2.9	75.17.203.131
Jan 14, 2025 22:43:52.257813931 CET	52591	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.262300014 CET	445	52590	75.17.203.131	192.168.2.9
Jan 14, 2025 22:43:52.262691975 CET	445	52591	75.17.203.1	192.168.2.9
Jan 14, 2025 22:43:52.262702942 CET	445	52590	75.17.203.131	192.168.2.9
Jan 14, 2025 22:43:52.262761116 CET	52590	445	192.168.2.9	75.17.203.131
Jan 14, 2025 22:43:52.262828112 CET	52591	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.263077021 CET	52591	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.263709068 CET	52592	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.268304110 CET	445	52591	75.17.203.1	192.168.2.9
Jan 14, 2025 22:43:52.268359900 CET	52591	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.268522978 CET	445	52592	75.17.203.1	192.168.2.9
Jan 14, 2025 22:43:52.268580914 CET	52592	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.268769026 CET	52592	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:43:52.273525953 CET	445	52592	75.17.203.1	192.168.2.9
Jan 14, 2025 22:43:52.353806973 CET	445	52476	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:52.353878975 CET	52476	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:52.353920937 CET	52476	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:52.353986979 CET	52476	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:52.358647108 CET	445	52476	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:52.358735085 CET	445	52476	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:53.128015041 CET	52593	445	192.168.2.9	71.168.64.61
Jan 14, 2025 22:43:53.132901907 CET	445	52593	71.168.64.61	192.168.2.9
Jan 14, 2025 22:43:53.133053064 CET	52593	445	192.168.2.9	71.168.64.61
Jan 14, 2025 22:43:53.133095026 CET	52593	445	192.168.2.9	71.168.64.61
Jan 14, 2025 22:43:53.133291006 CET	52594	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.138109922 CET	445	52594	71.168.64.1	192.168.2.9
Jan 14, 2025 22:43:53.138143063 CET	445	52593	71.168.64.61	192.168.2.9
Jan 14, 2025 22:43:53.138216972 CET	52594	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.138257027 CET	52593	445	192.168.2.9	71.168.64.61
Jan 14, 2025 22:43:53.138417959 CET	52594	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.138880968 CET	52595	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.143373966 CET	445	52594	71.168.64.1	192.168.2.9
Jan 14, 2025 22:43:53.143580914 CET	52594	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.143676043 CET	445	52595	71.168.64.1	192.168.2.9
Jan 14, 2025 22:43:53.143754005 CET	52595	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.143848896 CET	52595	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:43:53.148668051 CET	445	52595	71.168.64.1	192.168.2.9
Jan 14, 2025 22:43:53.165725946 CET	445	52589	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:53.165854931 CET	52589	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:53.166053057 CET	52589	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:53.166085005 CET	52589	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:53.170938015 CET	445	52589	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:53.170969009 CET	445	52589	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:53.329902887 CET	52596	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:53.334785938 CET	445	52596	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:53.334908962 CET	52596	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:53.334938049 CET	52596	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:43:53.339801073 CET	445	52596	45.247.224.1	192.168.2.9
Jan 14, 2025 22:43:53.955077887 CET	52597	445	192.168.2.9	72.237.206.254
Jan 14, 2025 22:43:53.959991932 CET	445	52597	72.237.206.254	192.168.2.9
Jan 14, 2025 22:43:53.960095882 CET	52597	445	192.168.2.9	72.237.206.254
Jan 14, 2025 22:43:53.960150003 CET	52597	445	192.168.2.9	72.237.206.254
Jan 14, 2025 22:43:53.960253000 CET	52598	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.965029955 CET	445	52598	72.237.206.1	192.168.2.9
Jan 14, 2025 22:43:53.965125084 CET	52598	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.965156078 CET	52598	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.965157986 CET	445	52597	72.237.206.254	192.168.2.9
Jan 14, 2025 22:43:53.965210915 CET	52597	445	192.168.2.9	72.237.206.254
Jan 14, 2025 22:43:53.965615034 CET	52599	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.970127106 CET	445	52598	72.237.206.1	192.168.2.9
Jan 14, 2025 22:43:53.970222950 CET	52598	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.970478058 CET	445	52599	72.237.206.1	192.168.2.9
Jan 14, 2025 22:43:53.970545053 CET	52599	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.972300053 CET	52599	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:43:53.977081060 CET	445	52599	72.237.206.1	192.168.2.9
Jan 14, 2025 22:43:54.476409912 CET	445	52487	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:54.476481915 CET	52487	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:54.476547956 CET	52487	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:54.476624012 CET	52487	445	192.168.2.9	4.3.90.1
Jan 14, 2025 22:43:54.481355906 CET	445	52487	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:54.481506109 CET	445	52487	4.3.90.1	192.168.2.9
Jan 14, 2025 22:43:54.533118010 CET	52601	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.537941933 CET	445	52601	4.3.90.2	192.168.2.9
Jan 14, 2025 22:43:54.538022041 CET	52601	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.538119078 CET	52601	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.539120913 CET	52602	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.542959929 CET	445	52601	4.3.90.2	192.168.2.9
Jan 14, 2025 22:43:54.543018103 CET	52601	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.543915033 CET	445	52602	4.3.90.2	192.168.2.9
Jan 14, 2025 22:43:54.543981075 CET	52602	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.544076920 CET	52602	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:43:54.548823118 CET	445	52602	4.3.90.2	192.168.2.9
Jan 14, 2025 22:43:54.735987902 CET	52603	445	192.168.2.9	87.181.237.59
Jan 14, 2025 22:43:54.740782022 CET	445	52603	87.181.237.59	192.168.2.9
Jan 14, 2025 22:43:54.740868092 CET	52603	445	192.168.2.9	87.181.237.59
Jan 14, 2025 22:43:54.743557930 CET	52603	445	192.168.2.9	87.181.237.59
Jan 14, 2025 22:43:54.743727922 CET	52604	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.748513937 CET	445	52604	87.181.237.1	192.168.2.9
Jan 14, 2025 22:43:54.748523951 CET	445	52603	87.181.237.59	192.168.2.9
Jan 14, 2025 22:43:54.748594046 CET	52603	445	192.168.2.9	87.181.237.59
Jan 14, 2025 22:43:54.748605013 CET	52604	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.751247883 CET	52604	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.755225897 CET	52605	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.756042004 CET	445	52604	87.181.237.1	192.168.2.9
Jan 14, 2025 22:43:54.756092072 CET	52604	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.760143042 CET	445	52605	87.181.237.1	192.168.2.9
Jan 14, 2025 22:43:54.760209084 CET	52605	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.763062000 CET	52605	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:43:54.767947912 CET	445	52605	87.181.237.1	192.168.2.9
Jan 14, 2025 22:43:55.361208916 CET	52606	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:55.366168976 CET	445	52606	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:55.366235018 CET	52606	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:55.366264105 CET	52606	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:43:55.371027946 CET	445	52606	102.101.193.1	192.168.2.9
Jan 14, 2025 22:43:55.523232937 CET	445	52496	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:55.523300886 CET	52496	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:55.523365974 CET	52496	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:55.523411989 CET	52496	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:55.528192043 CET	445	52496	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:55.528203011 CET	445	52496	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:56.173479080 CET	52609	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:56.178304911 CET	445	52609	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:56.178400993 CET	52609	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:56.178453922 CET	52609	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:56.183284998 CET	445	52609	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:56.382596970 CET	445	52504	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:56.382715940 CET	52504	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:56.386631012 CET	52504	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:56.386678934 CET	52504	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:56.391428947 CET	445	52504	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:56.391441107 CET	445	52504	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:56.491964102 CET	445	52507	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:56.492053986 CET	52507	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:56.492108107 CET	52507	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:56.492177010 CET	52507	445	192.168.2.9	64.4.253.1
Jan 14, 2025 22:43:56.496886015 CET	445	52507	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:56.496906042 CET	445	52507	64.4.253.1	192.168.2.9
Jan 14, 2025 22:43:56.548572063 CET	52610	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:56.553416014 CET	445	52610	64.4.253.2	192.168.2.9
Jan 14, 2025 22:43:56.553504944 CET	52610	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:56.553533077 CET	52610	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:56.553844929 CET	52611	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:56.558604002 CET	445	52611	64.4.253.2	192.168.2.9
Jan 14, 2025 22:43:56.558665037 CET	52611	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:56.558725119 CET	52611	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:56.562757969 CET	445	52610	64.4.253.2	192.168.2.9
Jan 14, 2025 22:43:56.563575983 CET	445	52611	64.4.253.2	192.168.2.9
Jan 14, 2025 22:43:56.568336010 CET	445	52610	64.4.253.2	192.168.2.9
Jan 14, 2025 22:43:56.568387985 CET	52610	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:43:58.023732901 CET	445	52609	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:58.023789883 CET	52609	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:58.026324987 CET	52609	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:58.026393890 CET	52609	445	192.168.2.9	210.166.219.1
Jan 14, 2025 22:43:58.031161070 CET	445	52609	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:58.031172991 CET	445	52609	210.166.219.1	192.168.2.9
Jan 14, 2025 22:43:58.079529047 CET	52619	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.084393024 CET	445	52619	210.166.219.2	192.168.2.9
Jan 14, 2025 22:43:58.084460020 CET	52619	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.084700108 CET	52619	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.085220098 CET	52620	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.089509964 CET	445	52619	210.166.219.2	192.168.2.9
Jan 14, 2025 22:43:58.089559078 CET	52619	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.090059996 CET	445	52620	210.166.219.2	192.168.2.9
Jan 14, 2025 22:43:58.090120077 CET	52620	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.090240955 CET	52620	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:58.094954967 CET	445	52620	210.166.219.2	192.168.2.9
Jan 14, 2025 22:43:58.400018930 CET	445	52521	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:58.400082111 CET	52521	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:58.400122881 CET	52521	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:58.400167942 CET	52521	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:43:58.404922009 CET	445	52521	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:58.404933929 CET	445	52521	48.189.89.1	192.168.2.9
Jan 14, 2025 22:43:58.532815933 CET	52624	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:58.622720003 CET	445	52624	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:58.622833967 CET	52624	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:58.622879028 CET	52624	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:43:58.627710104 CET	445	52624	144.109.189.1	192.168.2.9
Jan 14, 2025 22:43:58.638216019 CET	445	52523	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:58.638305902 CET	52523	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:58.638339996 CET	52523	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:58.638390064 CET	52523	445	192.168.2.9	190.197.148.1
Jan 14, 2025 22:43:58.643081903 CET	445	52523	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:58.643102884 CET	445	52523	190.197.148.1	192.168.2.9
Jan 14, 2025 22:43:58.705394030 CET	52625	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.710391045 CET	445	52625	190.197.148.2	192.168.2.9
Jan 14, 2025 22:43:58.710515022 CET	52625	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.710647106 CET	52625	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.711064100 CET	52626	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.715555906 CET	445	52625	190.197.148.2	192.168.2.9
Jan 14, 2025 22:43:58.715645075 CET	52625	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.715945005 CET	445	52626	190.197.148.2	192.168.2.9
Jan 14, 2025 22:43:58.716016054 CET	52626	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.716052055 CET	52626	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:43:58.720910072 CET	445	52626	190.197.148.2	192.168.2.9
Jan 14, 2025 22:43:59.273335934 CET	445	52527	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:59.273499966 CET	52527	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:59.273602009 CET	52527	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:59.273677111 CET	52527	445	192.168.2.9	77.201.178.2
Jan 14, 2025 22:43:59.278383970 CET	445	52527	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:59.278574944 CET	445	52527	77.201.178.2	192.168.2.9
Jan 14, 2025 22:43:59.330255985 CET	52632	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.335117102 CET	445	52632	77.201.178.3	192.168.2.9
Jan 14, 2025 22:43:59.335247040 CET	52632	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.335366964 CET	52632	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.335769892 CET	52633	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.340198040 CET	445	52632	77.201.178.3	192.168.2.9
Jan 14, 2025 22:43:59.340379953 CET	52632	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.340537071 CET	445	52633	77.201.178.3	192.168.2.9
Jan 14, 2025 22:43:59.340615988 CET	52633	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.340670109 CET	52633	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:43:59.345438957 CET	445	52633	77.201.178.3	192.168.2.9
Jan 14, 2025 22:43:59.392276049 CET	52634	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:59.397279978 CET	445	52634	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:59.397389889 CET	52634	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:59.397428989 CET	52634	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:43:59.402271032 CET	445	52634	76.118.156.1	192.168.2.9
Jan 14, 2025 22:43:59.950809002 CET	445	52620	210.166.219.2	192.168.2.9
Jan 14, 2025 22:43:59.950973988 CET	52620	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:59.951028109 CET	52620	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:59.951122046 CET	52620	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:43:59.955815077 CET	445	52620	210.166.219.2	192.168.2.9
Jan 14, 2025 22:43:59.955939054 CET	445	52620	210.166.219.2	192.168.2.9
Jan 14, 2025 22:44:00.275096893 CET	445	52535	150.120.191.1	192.168.2.9
Jan 14, 2025 22:44:00.275206089 CET	52535	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:00.275259972 CET	52535	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:00.275342941 CET	52535	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:00.280019999 CET	445	52535	150.120.191.1	192.168.2.9
Jan 14, 2025 22:44:00.280072927 CET	445	52535	150.120.191.1	192.168.2.9
Jan 14, 2025 22:44:00.539113045 CET	445	52537	136.196.81.1	192.168.2.9
Jan 14, 2025 22:44:00.539232016 CET	52537	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:44:00.541871071 CET	52537	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:44:00.541996956 CET	52537	445	192.168.2.9	136.196.81.1
Jan 14, 2025 22:44:00.546657085 CET	445	52537	136.196.81.1	192.168.2.9
Jan 14, 2025 22:44:00.546793938 CET	445	52537	136.196.81.1	192.168.2.9
Jan 14, 2025 22:44:00.629302025 CET	52648	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.634335995 CET	445	52648	136.196.81.2	192.168.2.9
Jan 14, 2025 22:44:00.634403944 CET	52648	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.634599924 CET	52648	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.635251999 CET	52649	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.639599085 CET	445	52648	136.196.81.2	192.168.2.9
Jan 14, 2025 22:44:00.639658928 CET	52648	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.640069008 CET	445	52649	136.196.81.2	192.168.2.9
Jan 14, 2025 22:44:00.640141010 CET	52649	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.640258074 CET	52649	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:00.645026922 CET	445	52649	136.196.81.2	192.168.2.9
Jan 14, 2025 22:44:01.408984900 CET	52659	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:44:01.545039892 CET	445	52659	48.189.89.1	192.168.2.9
Jan 14, 2025 22:44:01.545214891 CET	52659	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:44:01.547324896 CET	52659	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:44:01.553756952 CET	445	52659	48.189.89.1	192.168.2.9
Jan 14, 2025 22:44:02.044668913 CET	445	52549	69.246.167.1	192.168.2.9
Jan 14, 2025 22:44:02.044785976 CET	52549	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:02.044831038 CET	52549	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:02.044934988 CET	52549	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:02.049810886 CET	445	52549	69.246.167.1	192.168.2.9
Jan 14, 2025 22:44:02.049827099 CET	445	52549	69.246.167.1	192.168.2.9
Jan 14, 2025 22:44:02.565462112 CET	445	52554	143.113.52.1	192.168.2.9
Jan 14, 2025 22:44:02.565587997 CET	52554	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:44:02.565715075 CET	52554	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:44:02.565836906 CET	52554	445	192.168.2.9	143.113.52.1
Jan 14, 2025 22:44:02.570938110 CET	445	52554	143.113.52.1	192.168.2.9
Jan 14, 2025 22:44:02.571041107 CET	445	52554	143.113.52.1	192.168.2.9
Jan 14, 2025 22:44:02.628408909 CET	52678	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.633284092 CET	445	52678	143.113.52.2	192.168.2.9
Jan 14, 2025 22:44:02.633460999 CET	52678	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.633972883 CET	52679	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.634054899 CET	52678	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.638803005 CET	445	52679	143.113.52.2	192.168.2.9
Jan 14, 2025 22:44:02.638875961 CET	445	52678	143.113.52.2	192.168.2.9
Jan 14, 2025 22:44:02.638902903 CET	52679	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.638941050 CET	52678	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.638977051 CET	52679	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:02.643732071 CET	445	52679	143.113.52.2	192.168.2.9
Jan 14, 2025 22:44:02.954480886 CET	52688	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:44:02.959944963 CET	445	52688	210.166.219.2	192.168.2.9
Jan 14, 2025 22:44:02.960026026 CET	52688	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:44:02.960098028 CET	52688	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:44:02.964903116 CET	445	52688	210.166.219.2	192.168.2.9
Jan 14, 2025 22:44:03.287168980 CET	52694	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:03.292037964 CET	445	52694	150.120.191.1	192.168.2.9
Jan 14, 2025 22:44:03.292145014 CET	52694	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:03.293049097 CET	52694	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:03.297899961 CET	445	52694	150.120.191.1	192.168.2.9
Jan 14, 2025 22:44:03.669691086 CET	445	52559	169.10.57.1	192.168.2.9
Jan 14, 2025 22:44:03.669769049 CET	52559	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:44:03.672979116 CET	52559	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:44:03.673063993 CET	52559	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:44:03.677748919 CET	445	52559	169.10.57.1	192.168.2.9
Jan 14, 2025 22:44:03.677793980 CET	445	52559	169.10.57.1	192.168.2.9
Jan 14, 2025 22:44:04.654304028 CET	445	52560	181.221.235.1	192.168.2.9
Jan 14, 2025 22:44:04.654416084 CET	52560	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:44:04.654448032 CET	52560	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:44:04.654469967 CET	52560	445	192.168.2.9	181.221.235.1
Jan 14, 2025 22:44:04.659446001 CET	445	52560	181.221.235.1	192.168.2.9
Jan 14, 2025 22:44:04.659462929 CET	445	52560	181.221.235.1	192.168.2.9
Jan 14, 2025 22:44:04.720820904 CET	52736	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.725860119 CET	445	52736	181.221.235.2	192.168.2.9
Jan 14, 2025 22:44:04.726059914 CET	52736	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.726092100 CET	52736	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.726885080 CET	52737	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.731105089 CET	445	52736	181.221.235.2	192.168.2.9
Jan 14, 2025 22:44:04.731282949 CET	52736	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.731682062 CET	445	52737	181.221.235.2	192.168.2.9
Jan 14, 2025 22:44:04.731808901 CET	52737	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.731853008 CET	52737	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:04.736614943 CET	445	52737	181.221.235.2	192.168.2.9
Jan 14, 2025 22:44:04.788320065 CET	445	52688	210.166.219.2	192.168.2.9
Jan 14, 2025 22:44:04.788448095 CET	52688	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:44:04.788541079 CET	52688	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:44:04.788558960 CET	52688	445	192.168.2.9	210.166.219.2
Jan 14, 2025 22:44:04.793339014 CET	445	52688	210.166.219.2	192.168.2.9
Jan 14, 2025 22:44:04.793350935 CET	445	52688	210.166.219.2	192.168.2.9
Jan 14, 2025 22:44:04.845210075 CET	52742	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.850111961 CET	445	52742	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:04.850188971 CET	52742	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.850223064 CET	52742	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.850465059 CET	52743	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.855331898 CET	445	52742	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:04.855360985 CET	445	52743	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:04.855443954 CET	52742	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.855489016 CET	52743	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.855535984 CET	52743	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:04.860244036 CET	445	52743	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:05.048885107 CET	52750	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:05.053704023 CET	445	52750	69.246.167.1	192.168.2.9
Jan 14, 2025 22:44:05.053833008 CET	52750	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:05.060359001 CET	52750	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:05.065310955 CET	445	52750	69.246.167.1	192.168.2.9
Jan 14, 2025 22:44:05.230242968 CET	445	52563	143.130.7.1	192.168.2.9
Jan 14, 2025 22:44:05.230448008 CET	52563	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:44:05.230482101 CET	52563	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:44:05.230727911 CET	52563	445	192.168.2.9	143.130.7.1
Jan 14, 2025 22:44:05.235223055 CET	445	52563	143.130.7.1	192.168.2.9
Jan 14, 2025 22:44:05.235471010 CET	445	52563	143.130.7.1	192.168.2.9
Jan 14, 2025 22:44:06.601886034 CET	445	52567	194.135.85.1	192.168.2.9
Jan 14, 2025 22:44:06.601960897 CET	52567	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:44:06.605809927 CET	52567	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:44:06.605846882 CET	52567	445	192.168.2.9	194.135.85.1
Jan 14, 2025 22:44:06.610686064 CET	445	52567	194.135.85.1	192.168.2.9
Jan 14, 2025 22:44:06.610702038 CET	445	52567	194.135.85.1	192.168.2.9
Jan 14, 2025 22:44:06.636945963 CET	445	52564	52.178.54.1	192.168.2.9
Jan 14, 2025 22:44:06.637008905 CET	52564	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:44:06.638807058 CET	52564	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:44:06.638842106 CET	52564	445	192.168.2.9	52.178.54.1
Jan 14, 2025 22:44:06.643722057 CET	445	52564	52.178.54.1	192.168.2.9
Jan 14, 2025 22:44:06.643733025 CET	445	52564	52.178.54.1	192.168.2.9
Jan 14, 2025 22:44:06.691827059 CET	52874	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:44:06.696752071 CET	445	52874	169.10.57.1	192.168.2.9
Jan 14, 2025 22:44:06.696870089 CET	52874	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:44:06.698072910 CET	52874	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:44:06.702855110 CET	445	52874	169.10.57.1	192.168.2.9
Jan 14, 2025 22:44:06.704930067 CET	52876	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:06.709784985 CET	445	52876	52.178.54.2	192.168.2.9
Jan 14, 2025 22:44:06.709882021 CET	52876	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:06.717272997 CET	445	52743	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:06.717345953 CET	52743	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:06.734329939 CET	52876	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:06.739505053 CET	445	52876	52.178.54.2	192.168.2.9
Jan 14, 2025 22:44:06.739587069 CET	52876	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:06.741985083 CET	52743	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:06.741985083 CET	52743	445	192.168.2.9	210.166.219.3
Jan 14, 2025 22:44:06.746889114 CET	445	52743	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:06.746906042 CET	445	52743	210.166.219.3	192.168.2.9
Jan 14, 2025 22:44:06.781694889 CET	52881	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:06.786570072 CET	445	52881	52.178.54.2	192.168.2.9
Jan 14, 2025 22:44:06.786636114 CET	52881	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:07.949258089 CET	445	52570	87.157.193.1	192.168.2.9
Jan 14, 2025 22:44:07.950145006 CET	52570	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:44:07.951020002 CET	52580	445	192.168.2.9	3.72.157.1
Jan 14, 2025 22:44:07.951071978 CET	52626	445	192.168.2.9	190.197.148.2
Jan 14, 2025 22:44:07.951128006 CET	52611	445	192.168.2.9	64.4.253.2
Jan 14, 2025 22:44:07.951159000 CET	52585	445	192.168.2.9	99.38.44.2
Jan 14, 2025 22:44:07.951211929 CET	52602	445	192.168.2.9	4.3.90.2
Jan 14, 2025 22:44:07.951272964 CET	52881	445	192.168.2.9	52.178.54.2
Jan 14, 2025 22:44:07.951431990 CET	52574	445	192.168.2.9	115.211.37.1
Jan 14, 2025 22:44:07.951456070 CET	52576	445	192.168.2.9	100.186.60.2
Jan 14, 2025 22:44:07.951486111 CET	52577	445	192.168.2.9	201.15.39.1
Jan 14, 2025 22:44:07.951517105 CET	52570	445	192.168.2.9	87.157.193.1
Jan 14, 2025 22:44:07.951518059 CET	52571	445	192.168.2.9	181.105.239.1
Jan 14, 2025 22:44:07.951518059 CET	52583	445	192.168.2.9	169.191.254.1
Jan 14, 2025 22:44:07.951545000 CET	52586	445	192.168.2.9	85.167.36.1
Jan 14, 2025 22:44:07.951569080 CET	52596	445	192.168.2.9	45.247.224.1
Jan 14, 2025 22:44:07.951613903 CET	52592	445	192.168.2.9	75.17.203.1
Jan 14, 2025 22:44:07.951632023 CET	52595	445	192.168.2.9	71.168.64.1
Jan 14, 2025 22:44:07.951668024 CET	52599	445	192.168.2.9	72.237.206.1
Jan 14, 2025 22:44:07.951687098 CET	52605	445	192.168.2.9	87.181.237.1
Jan 14, 2025 22:44:07.951828957 CET	52624	445	192.168.2.9	144.109.189.1
Jan 14, 2025 22:44:07.951857090 CET	52634	445	192.168.2.9	76.118.156.1
Jan 14, 2025 22:44:07.951900005 CET	52633	445	192.168.2.9	77.201.178.3
Jan 14, 2025 22:44:07.951931000 CET	52649	445	192.168.2.9	136.196.81.2
Jan 14, 2025 22:44:07.952053070 CET	52694	445	192.168.2.9	150.120.191.1
Jan 14, 2025 22:44:07.952059984 CET	52659	445	192.168.2.9	48.189.89.1
Jan 14, 2025 22:44:07.952112913 CET	52750	445	192.168.2.9	69.246.167.1
Jan 14, 2025 22:44:07.952121973 CET	52606	445	192.168.2.9	102.101.193.1
Jan 14, 2025 22:44:07.952121973 CET	52679	445	192.168.2.9	143.113.52.2
Jan 14, 2025 22:44:07.952225924 CET	52737	445	192.168.2.9	181.221.235.2
Jan 14, 2025 22:44:07.952419996 CET	52874	445	192.168.2.9	169.10.57.1
Jan 14, 2025 22:45:07.996119022 CET	52883	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:45:08.000977039 CET	80	52883	103.224.212.215	192.168.2.9
Jan 14, 2025 22:45:08.001111031 CET	52883	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:45:08.001308918 CET	52883	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:45:08.006052017 CET	80	52883	103.224.212.215	192.168.2.9
Jan 14, 2025 22:45:08.618552923 CET	80	52883	103.224.212.215	192.168.2.9
Jan 14, 2025 22:45:08.618585110 CET	80	52883	103.224.212.215	192.168.2.9
Jan 14, 2025 22:45:08.618751049 CET	52883	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:45:08.618751049 CET	52883	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:45:08.620822906 CET	52883	80	192.168.2.9	103.224.212.215
Jan 14, 2025 22:45:08.621642113 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:08.625593901 CET	80	52883	103.224.212.215	192.168.2.9
Jan 14, 2025 22:45:08.626429081 CET	80	52884	199.59.243.228	192.168.2.9
Jan 14, 2025 22:45:08.626487017 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:08.627170086 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:08.631896019 CET	80	52884	199.59.243.228	192.168.2.9
Jan 14, 2025 22:45:09.081530094 CET	80	52884	199.59.243.228	192.168.2.9
Jan 14, 2025 22:45:09.081548929 CET	80	52884	199.59.243.228	192.168.2.9
Jan 14, 2025 22:45:09.081590891 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:09.081629038 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:09.084799051 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:09.084820032 CET	52884	80	192.168.2.9	199.59.243.228
Jan 14, 2025 22:45:09.089262009 CET	52885	445	192.168.2.9	134.138.16.55
Jan 14, 2025 22:45:09.094063044 CET	445	52885	134.138.16.55	192.168.2.9
Jan 14, 2025 22:45:09.094140053 CET	52885	445	192.168.2.9	134.138.16.55
Jan 14, 2025 22:45:09.094182968 CET	52885	445	192.168.2.9	134.138.16.55
Jan 14, 2025 22:45:09.094321012 CET	52886	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.099234104 CET	445	52886	134.138.16.1	192.168.2.9
Jan 14, 2025 22:45:09.099246025 CET	445	52885	134.138.16.55	192.168.2.9
Jan 14, 2025 22:45:09.099293947 CET	52885	445	192.168.2.9	134.138.16.55
Jan 14, 2025 22:45:09.099320889 CET	52886	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.099358082 CET	52886	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.099582911 CET	52889	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.104428053 CET	445	52886	134.138.16.1	192.168.2.9
Jan 14, 2025 22:45:09.104440928 CET	445	52889	134.138.16.1	192.168.2.9
Jan 14, 2025 22:45:09.104485989 CET	52886	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.104502916 CET	52889	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.104526043 CET	52889	445	192.168.2.9	134.138.16.1
Jan 14, 2025 22:45:09.109603882 CET	445	52889	134.138.16.1	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 22:42:59.628746986 CET	64051	53	192.168.2.9	1.1.1.1
Jan 14, 2025 22:42:59.782392979 CET	53	64051	1.1.1.1	192.168.2.9
Jan 14, 2025 22:43:00.484339952 CET	60757	53	192.168.2.9	1.1.1.1
Jan 14, 2025 22:43:00.815172911 CET	53	60757	1.1.1.1	192.168.2.9
Jan 14, 2025 22:43:13.268645048 CET	137	137	192.168.2.9	192.168.2.255
Jan 14, 2025 22:43:14.032547951 CET	137	137	192.168.2.9	192.168.2.255
Jan 14, 2025 22:43:14.798147917 CET	137	137	192.168.2.9	192.168.2.255
Jan 14, 2025 22:43:17.358597040 CET	53	51625	1.1.1.1	192.168.2.9
Jan 14, 2025 22:43:21.219237089 CET	137	137	192.168.2.9	192.168.2.255
Jan 14, 2025 22:43:21.954827070 CET	137	137	192.168.2.9	192.168.2.255
Jan 14, 2025 22:43:22.704338074 CET	137	137	192.168.2.9	192.168.2.255
Jan 14, 2025 22:43:52.029742002 CET	138	138	192.168.2.9	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 22:42:59.628746986 CET	192.168.2.9	1.1.1.1	0x8f61	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 22:43:00.484339952 CET	192.168.2.9	1.1.1.1	0xf5eb	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 22:42:55.661546946 CET	1.1.1.1	192.168.2.9	0xdecd	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 22:42:55.661546946 CET	1.1.1.1	192.168.2.9	0xdecd	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 22:42:59.782392979 CET	1.1.1.1	192.168.2.9	0x8f61	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 14, 2025 22:43:00.815172911 CET	1.1.1.1	192.168.2.9	0xf5eb	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 22:43:00.815172911 CET	1.1.1.1	192.168.2.9	0xf5eb	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49727	103.224.212.215	80	7440	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:42:59.826843023 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 22:43:00.434376001 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 21:43:00 GMT server: Apache set-cookie: __tad=1736890980.6404981; expires=Fri, 12-Jan-2035 21:43:00 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939b2 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49738	199.59.243.228	80	7440	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:43:00.861591101 CET	169	OUT	GET /?subid1=20250115-0843-0023-a483-adfaa7c939b2 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 22:43:01.324824095 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 21:43:00 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: b07e05a2-6afb-4967-a1ef-8668f7ec5591 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ky9FCjhsz0l1jlOUH378SpLYR3fNCvRMk/PllRehm7TJhZpGTsElM7BAELm2xNdQ5CSfqpgA0XHskhWlxAdrQw== set-cookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591; expires=Tue, 14 Jan 2025 21:58:01 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 79 39 46 43 6a 68 73 7a 30 6c 31 6a 6c 4f 55 48 33 37 38 53 70 4c 59 52 33 66 4e 43 76 52 4d 6b 2f 50 6c 6c 52 65 68 6d 37 54 4a 68 5a 70 47 54 73 45 6c 4d 37 42 41 45 4c 6d 32 78 4e 64 51 35 43 53 66 71 70 67 41 30 58 48 73 6b 68 57 6c 78 41 64 72 51 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ky9FCjhsz0l1jlOUH378SpLYR3fNCvRMk/PllRehm7TJhZpGTsElM7BAELm2xNdQ5CSfqpgA0XHskhWlxAdrQw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 22:43:01.324837923 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjA3ZTA1YTItNmFmYi00OTY3LWExZWYtODY2OGY3ZWM1NTkxIiwicGFnZV90aW1lIjoxNzM2ODkwOTgxLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49740	103.224.212.215	80	7568	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:43:01.483303070 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 22:43:02.106354952 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 21:43:02 GMT server: Apache set-cookie: __tad=1736890982.6646778; expires=Fri, 12-Jan-2035 21:43:02 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5fe8 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49745	199.59.243.228	80	7568	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:43:02.144985914 CET	169	OUT	GET /?subid1=20250115-0843-0290-ac2b-9956998a5fe8 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 22:43:02.628145933 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 21:43:02 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 2cbec7df-7a4e-4fc1-b8dc-49a84fddeb8c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vwhqSgQvYWbGFcm3Y1N2e6SCvvs601J8tw3PkljR4Am9brMf8RXRz4ghbZ3EiCP1bBmr2rt5+7/WiszYNnExHw== set-cookie: parking_session=2cbec7df-7a4e-4fc1-b8dc-49a84fddeb8c; expires=Tue, 14 Jan 2025 21:58:02 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 77 68 71 53 67 51 76 59 57 62 47 46 63 6d 33 59 31 4e 32 65 36 53 43 76 76 73 36 30 31 4a 38 74 77 33 50 6b 6c 6a 52 34 41 6d 39 62 72 4d 66 38 52 58 52 7a 34 67 68 62 5a 33 45 69 43 50 31 62 42 6d 72 32 72 74 35 2b 37 2f 57 69 73 7a 59 4e 6e 45 78 48 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vwhqSgQvYWbGFcm3Y1N2e6SCvvs601J8tw3PkljR4Am9brMf8RXRz4ghbZ3EiCP1bBmr2rt5+7/WiszYNnExHw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 22:43:02.628165007 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmNiZWM3ZGYtN2E0ZS00ZmMxLWI4ZGMtNDlhODRmZGRlYjhjIiwicGFnZV90aW1lIjoxNzM2ODkwOTgyLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49746	103.224.212.215	80	7620	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:43:02.176923990 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736890980.6404981
Jan 14, 2025 22:43:02.782998085 CET	269	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 21:43:02 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e6379487 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49758	199.59.243.228	80	7620	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:43:02.793771029 CET	231	OUT	GET /?subid1=20250115-0843-02ad-b855-1345e6379487 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591
Jan 14, 2025 22:43:03.270257950 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 21:43:02 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 758310cf-22d9-4389-bbfe-286bbf401fa1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VinMiU/YKW8qI53LjabMmeR2nBIo4K3Kbo6mA5TKsq3OL011wxkpB7uy+z6wBrn4U6Qfc21MdRoR1Nyfw0x88w== set-cookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591; expires=Tue, 14 Jan 2025 21:58:03 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 69 6e 4d 69 55 2f 59 4b 57 38 71 49 35 33 4c 6a 61 62 4d 6d 65 52 32 6e 42 49 6f 34 4b 33 4b 62 6f 36 6d 41 35 54 4b 73 71 33 4f 4c 30 31 31 77 78 6b 70 42 37 75 79 2b 7a 36 77 42 72 6e 34 55 36 51 66 63 32 31 4d 64 52 6f 52 31 4e 79 66 77 30 78 38 38 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VinMiU/YKW8qI53LjabMmeR2nBIo4K3Kbo6mA5TKsq3OL011wxkpB7uy+z6wBrn4U6Qfc21MdRoR1Nyfw0x88w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 14, 2025 22:43:03.270272970 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjA3ZTA1YTItNmFmYi00OTY3LWExZWYtODY2OGY3ZWM1NTkxIiwicGFnZV90aW1lIjoxNzM2ODkwOTgzLCJwYWdlX3VybCI6Imh0dHA6L

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.9	52883	103.224.212.215	80

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:45:08.001308918 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 14, 2025 22:45:08.618552923 CET	365	IN	HTTP/1.1 302 Found date: Tue, 14 Jan 2025 21:45:08 GMT server: Apache set-cookie: __tad=1736891108.2384685; expires=Fri, 12-Jan-2035 21:45:08 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0845-0884-8536-91f430fa231d content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.9	52884	199.59.243.228	80

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 22:45:08.627170086 CET	169	OUT	GET /?subid1=20250115-0845-0884-8536-91f430fa231d HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 14, 2025 22:45:09.081530094 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 21:45:08 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: ce8da246-ee4b-4729-b5a6-f57171401c6c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dYEgLdWT1JsQ+gXldiFOGcYd8/iFWgrJjParVcGRfpWgsBcbNKLYiOWDED8ijfFDL1sCVhdtEK6VlQXQCV17hA== set-cookie: parking_session=ce8da246-ee4b-4729-b5a6-f57171401c6c; expires=Tue, 14 Jan 2025 22:00:09 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 59 45 67 4c 64 57 54 31 4a 73 51 2b 67 58 6c 64 69 46 4f 47 63 59 64 38 2f 69 46 57 67 72 4a 6a 50 61 72 56 63 47 52 66 70 57 67 73 42 63 62 4e 4b 4c 59 69 4f 57 44 45 44 38 69 6a 66 46 44 4c 31 73 43 56 68 64 74 45 4b 36 56 6c 51 58 51 43 56 31 37 68 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dYEgLdWT1JsQ+gXldiFOGcYd8/iFWgrJjParVcGRfpWgsBcbNKLYiOWDED8ijfFDL1sCVhdtEK6VlQXQCV17hA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 14, 2025 22:45:09.081548929 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2U4ZGEyNDYtZWU0Yi00NzI5LWI1YTYtZjU3MTcxNDAxYzZjIiwicGFnZV90aW1lIjoxNzM2ODkxMTA5LCJwYWdlX3VybCI6I

Target ID:	0
Start time:	16:42:58
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll"
Imagebase:	0x560000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:42:58
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:42:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:42:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame
Imagebase:	0x8b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:42:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1
Imagebase:	0x8b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:42:58
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	FF830E078CB269B709C952BDF1F34D24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1336734524.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:43:00
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	FF830E078CB269B709C952BDF1F34D24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1359729095.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2016361125.0000000002384000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2015998105.0000000001E5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:43:01
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGame
Imagebase:	0x8b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:43:01
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	FF830E078CB269B709C952BDF1F34D24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1389292837.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1365918332.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:43:01
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	2'061'938 bytes
MD5 hash:	CBB4BE2403D2BE4554AA9BE6B49A7B62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	16:43:03
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	2'061'938 bytes
MD5 hash:	CBB4BE2403D2BE4554AA9BE6B49A7B62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
CloseHandle, xrefs: 00407D29
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000006.00000002.1373607042.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1373582879.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373628885.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373718222.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1373607042.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1373582879.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373628885.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373718222.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1373607042.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1373582879.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373628885.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373718222.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.1373607042.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1373582879.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373628885.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373718222.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1373607042.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1373582879.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373628885.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373718222.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1373831429.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 7568, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2014314267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2014276126.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014337204.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014663758.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014764544.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2014314267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2014276126.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014337204.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014663758.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014764544.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000008.00000002.2014314267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2014276126.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014337204.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014663758.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014764544.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

kernel32.dll, xrefs: 00407CEA
C:\%s\%s, xrefs: 00407DFB
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000008.00000002.2014314267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2014276126.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014337204.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014663758.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014764544.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2014314267.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2014276126.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014337204.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014451935.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014663758.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2014764544.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2015069962.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 7700, Parent PID: 7440COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 0040FEF0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 189
filecomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410E1C: GetModuleHandleW.KERNEL32(kernel32,0040FF03,00000001), ref: 00410E21
Part of subcall function 00410E1C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410E31

OleInitialize.OLE32(00000000), ref: 0040FF06

Part of subcall function 00411F56: GetCPInfo.KERNEL32(00000000,?,?,?,?,0040FF16), ref: 00411F67
Part of subcall function 00411F56: IsDBCSLeadByte.KERNEL32(00000000), ref: 00411F7B

_memset.LIBCMT ref: 0040FF22
GetCommandLineW.KERNEL32 ref: 0040FF2A
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0040FF50
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 0040FF62
UnmapViewOfFile.KERNEL32(00000000), ref: 0040FF8B

Part of subcall function 0040D5F7: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040D610
Part of subcall function 0040D5F7: SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D643

CloseHandle.KERNEL32(?), ref: 0040FF94
GetModuleFileNameW.KERNEL32(00000000,00439820,00000800), ref: 0040FFAE
SetEnvironmentVariableW.KERNELBASE(sfxname,00439820), ref: 0040FFC0
GetLocalTime.KERNEL32(?), ref: 0040FFC6
_swprintf.LIBCMT ref: 0040FFFD
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00410011
GetModuleHandleW.KERNEL32(00000000), ref: 00410014
LoadIconW.USER32(00000000,00000064), ref: 0041002B
LoadBitmapW.USER32(00000065), ref: 0041003E
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,0040F58D,00000000), ref: 0041009D
DeleteObject.GDI32 ref: 004100FE
DeleteObject.GDI32(?), ref: 0041010A

Part of subcall function 0040D64B: CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D6AC
Part of subcall function 0040D64B: CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D6D3

CloseHandle.KERNEL32(000000FF), ref: 00410147
Sleep.KERNEL32(?), ref: 00410157
OleUninitialize.OLE32 ref: 0041015D

Strings

winrarsfxmappingfile.tmp, xrefs: 0040FF44
STARTDLG, xrefs: 0041008F
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0040FFEF
sfxstime, xrefs: 0041000C
sfxname, xrefs: 0040FFBB

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$CharCloseDeleteLoadObjectUpperView$AddressBitmapByteCommandDialogIconInfoInitializeLeadLineLocalMappingNameOpenParamProcSleepTimeUninitializeUnmap_memset_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 2890863147-3710569615
Opcode ID: e302a6a03e0c0a9aaa08beecaf1dedc93de811017ef03846853a5e8821ade7c7
Instruction ID: f6d524faf13461bd4ea8cb5a97d50562f0dad5b6822c88fd20d602f5543b7383
Opcode Fuzzy Hash: e302a6a03e0c0a9aaa08beecaf1dedc93de811017ef03846853a5e8821ade7c7
Instruction Fuzzy Hash: 5061D971A00205BFC720BFA1DC499AE7BB8EB05314F50443BF901A22A1DB7D4D95DB6E

Function 00402F2C Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00402F35
_memcmp.LIBCMT ref: 00402FFD
_memcmp.LIBCMT ref: 004032D7

Strings

@, xrefs: 004034A4
CMT, xrefs: 0040355A

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memcmp$H_prolog
String ID: @$CMT
API String ID: 212800410-3935043585
Opcode ID: 37295884825835a7901171c985930d0b7c01ea67690c6e0965a3387f9fb6a373
Instruction ID: 4535b6ba2d5654eb70152741eafeedd3820f65e0183003bc7b62017ff8f1088e
Opcode Fuzzy Hash: 37295884825835a7901171c985930d0b7c01ea67690c6e0965a3387f9fb6a373
Instruction Fuzzy Hash: 252215715006849FDB24DF24C891BDA3BE5AF14308F08057FED4AEB2C6DB799588CB69

Function 00409476 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000800,?,?,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 004094A4
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 004094D4
GetLastError.KERNEL32(?,?,00000800,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 004094DE
FindNextFileW.KERNEL32(000000FF,?,00000800,?,?,?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000), ref: 00409508
GetLastError.KERNEL32(?,004096E5,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 00409516

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 2a733cbadd2ca7cd29a11b90f53c863ddd5810a24544a1ec061ee6039bd7df5a
Instruction ID: 852f22f8762d0aaf1b59ecd7198268998001e7cc0733578d9edc4610c3c70bd0
Opcode Fuzzy Hash: 2a733cbadd2ca7cd29a11b90f53c863ddd5810a24544a1ec061ee6039bd7df5a
Instruction Fuzzy Hash: 2E414071500648ABCB21DF29CC84ADA77F8AF48350F10466AF9AEE2291D774AEC1DB14

Function 0040F58D Relevance: 112.7, APIs: 55, Strings: 9, Instructions: 691COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F592

Strings

<, xrefs: 0040F92E
__tmp_rar_sfx_access_check_%u, xrefs: 0040F836
winrarsfxmappingfile.tmp, xrefs: 0040F90B
STARTDLG, xrefs: 0040F5AA
"%s"%s, xrefs: 0040FA5E
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 0040F8F2
z8D, xrefs: 0040F8D5
LICENSEDLG, xrefs: 0040FD8B
@, xrefs: 0040F935

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$z8D
API String ID: 3519838083-129321368
Opcode ID: a4dd4ca0380014ca9fbcc784b7d3cd6a11c13eb0733f377532361ed44e646897
Instruction ID: cc4c1e380d3e9e53cf766c3de9df5bd6880f95cbde9f973ccf433d51db550174
Opcode Fuzzy Hash: a4dd4ca0380014ca9fbcc784b7d3cd6a11c13eb0733f377532361ed44e646897
Instruction Fuzzy Hash: C732C371540248BFEB31BF619C85E9B3A68EB06304F44407BF901B61E2DB794999CB6E

Function 0040E857 Relevance: 73.9, APIs: 35, Strings: 7, Instructions: 411
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040E85C

Part of subcall function 0040D781: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0040D82F

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,00000800,?,00000000,753D5540,?,0040F541,?,00000003), ref: 0040E9A7
_wcslen.LIBCMT ref: 0040E9E2
_wcslen.LIBCMT ref: 0040E9F7
_wcslen.LIBCMT ref: 0040EA1D
_memset.LIBCMT ref: 0040EA33
SHFileOperationW.SHELL32 ref: 0040EA56
GetFileAttributesW.KERNEL32(?), ref: 0040EA63
DeleteFileW.KERNEL32(?), ref: 0040EA71
_wcscat.LIBCMT ref: 0040EB27
_wcslen.LIBCMT ref: 0040EB5F
_realloc.LIBCMT ref: 0040EB71
_wcscat.LIBCMT ref: 0040EB8B
SetWindowTextW.USER32(?,?), ref: 0040EBBC
_wcslen.LIBCMT ref: 0040EC05
_wcscpy.LIBCMT ref: 0040ED23
_wcsrchr.LIBCMT ref: 0040ED33
_wcscpy.LIBCMT ref: 0040ED52
GetDlgItem.USER32(?,00000066), ref: 0040ED6B
SetWindowTextW.USER32(00000000,?), ref: 0040ED7B
SendMessageW.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040ED8A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040EDB6

Strings

%s.%d.tmp, xrefs: 0040E999, 0040EA8E, 0040ED51, 0040ED81, 0040ED97
<br>, xrefs: 0040EB21
C:\Windows, xrefs: 0040E8B5
ProgramFilesDir, xrefs: 0040EC7D
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040EC58
\, xrefs: 0040ECCB
", xrefs: 0040EBE1

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcslen$File$AttributesMessageSendTextWindow_wcscat_wcscpy$DeleteEnvironmentExpandH_prologItemOperationStrings_memset_realloc_wcsrchr
String ID: "$%s.%d.tmp$<br>$C:\Windows$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
API String ID: 3339014310-2533930246
Opcode ID: c81f8d7f1960366ff0ac0b138369ee3006538eb7a10c16c36d47d9a37235cbbb
Instruction ID: 0f1639a2c7fd1c8d50817f8e0d6f0902ef34777a202bf9cba062cd401a3abf5d
Opcode Fuzzy Hash: c81f8d7f1960366ff0ac0b138369ee3006538eb7a10c16c36d47d9a37235cbbb
Instruction Fuzzy Hash: F2F14EB1900219AADB20DBA1DC45BEE7378FF04314F4408BBFA15B21D1EB789A958F59

Function 0040BC32 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040BC37
_wcschr.LIBCMT ref: 0040BC4E
GetModuleFileNameW.KERNEL32(00000000,?,00000800,004335BC,0040C3B4,0041005C,00439820,0041005C,00439820), ref: 0040BC67
_wcsrchr.LIBCMT ref: 0040BC76
_wcscpy.LIBCMT ref: 0040BC8C
_malloc.LIBCMT ref: 0040BE13

Part of subcall function 00408BAE: SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408BE1
Part of subcall function 00408BAE: GetLastError.KERNEL32(?,?), ref: 00408BEE

_strncmp.LIBCMT ref: 0040BD3F
_strncmp.LIBCMT ref: 0040BD9B
_malloc.LIBCMT ref: 0040BE49

Strings

*messages***, xrefs: 0040BD6B
*messages***, xrefs: 0040BD39
a, xrefs: 0040BD82

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: File_malloc_strncmp$ErrorH_prologLastModuleNamePointer_wcschr_wcscpy_wcsrchr
String ID: *messages***$*messages***$a
API String ID: 644328012-1639468518
Opcode ID: cfa50f55f05dd38727f7e2c767a8efa24f78901bf0e7e1d2db41408b4bb4ba45
Instruction ID: aa973f8903d1be904dc07ab5abbbb304e5ce1521a2ae556c165a5ca6c4136d8e
Opcode Fuzzy Hash: cfa50f55f05dd38727f7e2c767a8efa24f78901bf0e7e1d2db41408b4bb4ba45
Instruction Fuzzy Hash: 5981F2B1A002099ADB34DF64CC85BEA77A4EF10354F10417FE791B72D1DBB88A85CA9D

Function 0040C15C Relevance: 21.2, APIs: 14, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040C075: _wcschr.LIBCMT ref: 0040C0A5

GetWindowRect.USER32(?,?), ref: 0040C185
GetClientRect.USER32(?,?), ref: 0040C192
GetWindowLongW.USER32(?,000000F0), ref: 0040C21E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040C242
GetWindowRect.USER32(?,?), ref: 0040C24F
GetWindowTextW.USER32(?,?,00000400), ref: 0040C26E
SetWindowTextW.USER32(?,?), ref: 0040C294
GetSystemMetrics.USER32(00000008), ref: 0040C2A3
GetWindow.USER32(?,00000005), ref: 0040C2B0
GetWindowTextW.USER32(00000000,?,00000400), ref: 0040C2DD
SetWindowTextW.USER32(00000000,00000000), ref: 0040C30D
GetWindowRect.USER32(00000000,?), ref: 0040C320
SetWindowPos.USER32(00000000,00000000,00000000,00000110,00000000,00000110,00000204), ref: 0040C37D
GetWindow.USER32(00000000,00000002), ref: 0040C388

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID:
API String ID: 4134264131-0
Opcode ID: 9886efa1d7aa19233dee01def18c78a05a732e10b374928cec257c7fc49daa0d
Instruction ID: 46c95fab82868b9c938a6533d3e49af797eb3fa96210388a24d02bb49560b234
Opcode Fuzzy Hash: 9886efa1d7aa19233dee01def18c78a05a732e10b374928cec257c7fc49daa0d
Instruction Fuzzy Hash: 9A711671A00219EFDF10DFE8CC89AEEBBB9FB08314F048169FD15B61A0D774AA558B54

Function 0040D298 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00000000), ref: 0040D2A9
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040D3E6,00000001,?,?,0040E2C6,0042A848,0044CF30,0044CF30,00001000), ref: 0040D2D6
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0040D2E2
SendMessageW.USER32(00000000,000000C2,00000000,0042A73C), ref: 0040D2F1
SendMessageW.USER32(0040639B,000000B1,05F5E100,05F5E100), ref: 0040D305
SendMessageW.USER32(0040639B,0000043A,00000000,?), ref: 0040D31C
SendMessageW.USER32(0040639B,00000444,00000001,0000005C), ref: 0040D357
SendMessageW.USER32(0040639B,000000C2,00000000,00000456), ref: 0040D366
SendMessageW.USER32(0040639B,000000B1,05F5E100,05F5E100), ref: 0040D36E
SendMessageW.USER32(0040639B,00000444,00000001,0000005C), ref: 0040D392
SendMessageW.USER32(0040639B,000000C2,00000000,0042A810), ref: 0040D3A3

Part of subcall function 0041918B: DestroyWindow.USER32(?,753D5540,0040D2D3,?,?,?,?,?,0040D3E6,00000001,?,?,0040E2C6,0042A848,0044CF30,0044CF30), ref: 00419196

Strings

\, xrefs: 0040D315

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: MessageSend$Window$DestroyItemShow
String ID: \
API String ID: 2996232536-2967466578
Opcode ID: 099f520084dbf5fca48704fc3201186082e925487be8ae0bd6b4d09b2fa327de
Instruction ID: 06257c9e161764c7d53c24ae9c51dbab41789d270eb5449b748dea2bf3ac4db1
Opcode Fuzzy Hash: 099f520084dbf5fca48704fc3201186082e925487be8ae0bd6b4d09b2fa327de
Instruction Fuzzy Hash: C431B170E4025CBBEB219BA0CC4AFAEBFB9EB41714F10412AF500BA1E0D7B51D55DB59

Function 0041A060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30
librarycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(riched32.dll,00000000,00439820,?,?,?,00410051), ref: 0041A07B
LoadLibraryW.KERNEL32(riched20.dll,?,00410051), ref: 0041A084
OleInitialize.OLE32(00000000), ref: 0041A08B
InitCommonControlsEx.COMCTL32(?), ref: 0041A0A3
SHGetMalloc.SHELL32(0044F800), ref: 0041A0AE

Strings

riched20.dll, xrefs: 0041A07D
riched32.dll, xrefs: 0041A076

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: LibraryLoad$CommonControlsInitInitializeMalloc
String ID: riched20.dll$riched32.dll
API String ID: 448729520-3294723617
Opcode ID: 8624e4f240296107261ce0a47b5d27c571c626025523bcd3f0aeccd25934cca6
Instruction ID: d62a9b991739124620cbbd73e07a01740528edc951963754c9102d88a2026b42
Opcode Fuzzy Hash: 8624e4f240296107261ce0a47b5d27c571c626025523bcd3f0aeccd25934cca6
Instruction Fuzzy Hash: EFF08271B00318AFD7209FA5DC0EB9ABBE8EF40766F50442DE54593250DBB8A4458BA9

Function 0040DA8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DA4F: _wcscpy.LIBCMT ref: 0040DA54

RegCreateKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,C:\Windows), ref: 0040DAD9
_wcslen.LIBCMT ref: 0040DAE7
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0040DB02
RegCloseKey.KERNELBASE(?), ref: 0040DB0B

Strings

Software\WinRAR SFX, xrefs: 0040DACF
C:\Windows, xrefs: 0040DAA4, 0040DAAE

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CloseCreateValue_wcscpy_wcslen
String ID: C:\Windows$Software\WinRAR SFX
API String ID: 3170333323-1036045337
Opcode ID: 253b5885f96daf7b7a8b4f1510ea2afe6e1404dcbc281fb2c19877bebd1cbb3e
Instruction ID: c04f9cf324d6fb33717342d95d48926d42d97767c878bcc2ae640bd506731f16
Opcode Fuzzy Hash: 253b5885f96daf7b7a8b4f1510ea2afe6e1404dcbc281fb2c19877bebd1cbb3e
Instruction Fuzzy Hash: 7F018476A0020CBFEB21AF90DC86EDA777CEB08388F504076B60562061DA745ED99669

Function 0041A506 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0041A524

Part of subcall function 0041EFA3: __mtinitlocknum.LIBCMT ref: 0041EFB9
Part of subcall function 0041EFA3: __amsg_exit.LIBCMT ref: 0041EFC5
Part of subcall function 0041EFA3: EnterCriticalSection.KERNEL32(0041A9AB,0041A9AB,?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001), ref: 0041EFCD

___sbh_find_block.LIBCMT ref: 0041A52F
___sbh_free_block.LIBCMT ref: 0041A53E
RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 1eba3eb2bfd23f5b1e043426ba5b029f38dd9947a11c8dba489f2cac3b6c6ae4
Instruction ID: 0c17081243acc93c5e04f74f5850e91c5e9c62578e05a8caa74c22d26ff5c9bd
Opcode Fuzzy Hash: 1eba3eb2bfd23f5b1e043426ba5b029f38dd9947a11c8dba489f2cac3b6c6ae4
Instruction Fuzzy Hash: 1D01847194A215BBDB306BB29C067DE3B65AF00798F10012BFC0496291DB3C86D19A5E

Function 00411119 Relevance: 7.5, APIs: 5, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041102B: ResetEvent.KERNEL32(?,00000200,?,?,00405016), ref: 00411051
Part of subcall function 0041102B: ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00411061

ReleaseSemaphore.KERNEL32(?,00000020,00000000,?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411135
CloseHandle.KERNELBASE(00000003,00000003,?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411156
DeleteCriticalSection.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 0041116C
CloseHandle.KERNELBASE(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411178
CloseHandle.KERNEL32(?,?,0044F590,00411241,?,00401024,?,?,0040128E), ref: 00411180

Part of subcall function 00410EA0: WaitForSingleObject.KERNEL32(?,000000FF,00410FD9,?,?,00411197,?,?,?,?,?,004111E6), ref: 00410EA6
Part of subcall function 00410EA0: GetLastError.KERNEL32(?,?,?,?,?,004111E6), ref: 00410EB2

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 29ee5acdc12332976cb057a69276285ab821669b88e8e9e7981cd7b54762f760
Instruction ID: 628da898c48b8095e2505876ae832dd6733ab043d372e65b09dbeb3e2adc3a3f
Opcode Fuzzy Hash: 29ee5acdc12332976cb057a69276285ab821669b88e8e9e7981cd7b54762f760
Instruction Fuzzy Hash: F9F06275101704AFD7206B70DC45BD7BBA5EB0A354F00042AF7AA41120CB7768A19B29

Function 0040DB16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DA4F: _wcscpy.LIBCMT ref: 0040DA54

RegOpenKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000001,?,?), ref: 0040DB51
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040DB7E
RegCloseKey.ADVAPI32(?), ref: 0040DBB7

Strings

Software\WinRAR SFX, xrefs: 0040DB47

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CloseOpenQueryValue_wcscpy
String ID: Software\WinRAR SFX
API String ID: 2005349754-754673328
Opcode ID: 5a2b69c89800e9bdd399ce0e9e4a259883a1022fe18fb91a4a4725133ef4c013
Instruction ID: 4c76dbbd45d9bc8f01a1638326186229006e98cd85c276784524804615dea21e
Opcode Fuzzy Hash: 5a2b69c89800e9bdd399ce0e9e4a259883a1022fe18fb91a4a4725133ef4c013
Instruction Fuzzy Hash: 29110635A0020CEBEF219F90DD45FDE7BB8EF04345F5040B6B905A2191D7B8AA94DB69

Function 004050E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?), ref: 004050F5
SHBrowseForFolderW.SHELL32(?), ref: 00405130

Strings

A, xrefs: 00405129

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: BrowseFolderMalloc
String ID: A
API String ID: 3812826013-3554254475
Opcode ID: 38b49180d38aa256d497848d66ef1996a2da1d611468f43139da5b44fce9136b
Instruction ID: 7c691baa3b27f7502734ebd35b11d26621297010b335108cc4fc530f71bfb90e
Opcode Fuzzy Hash: 38b49180d38aa256d497848d66ef1996a2da1d611468f43139da5b44fce9136b
Instruction Fuzzy Hash: F0010572900619EBDB11CFA4D909BEF7BF8EF49311F204466E805EB240D779DA058FA5

Function 00419CB2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00419CC9
SHAutoComplete.SHLWAPI(?,00000010), ref: 00419D00

Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409CA8,?,00000000,?,00409DC2,00000000,-00000002,?,00000000,?), ref: 00411E76

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00419CF0

Strings

EDIT, xrefs: 00419CD4, 00419CD9, 00419CEC

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: b027ed5b97d113a91e8e700dc85ec23dd11054ff1df16afbaa6f3d453c1c9159
Instruction ID: c03662b206b47bf0f9187f3c1687b62eae72e09aaad69f108c393d7fbd584eff
Opcode Fuzzy Hash: b027ed5b97d113a91e8e700dc85ec23dd11054ff1df16afbaa6f3d453c1c9159
Instruction Fuzzy Hash: 3CF0E232300219BBDB305A15AD05FEB36BC9F86B40F840066FE01E2280EB68D84285BA

Function 004087C3 Relevance: 6.1, APIs: 4, Instructions: 104
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,-7FFFF7FE,?,00000000,00000003,-00000001,00000000,00000802,00000000,?,00000000,00406E59,00000000,00000005,?,00000011), ref: 00408854
GetLastError.KERNEL32(?,00000000,00406E59,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 0040885D
CreateFileW.KERNEL32(?,-7FFFF7FE,?,00000000,00000003,00000000,00000000,?,?,00000800,?,00000000,00406E59,00000000,00000005,?), ref: 00408895
GetLastError.KERNEL32(?,00000000,00406E59,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 00408899

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 4d3b36c18a63bf9a6cb3bb75dabf04ddc5da56a9a0870096324c8bcc010d085f
Instruction ID: e5fec55928a071c2e3d1b6f10086eb5e0cd4d8e33465c7e2028d9d916ffc9c2f
Opcode Fuzzy Hash: 4d3b36c18a63bf9a6cb3bb75dabf04ddc5da56a9a0870096324c8bcc010d085f
Instruction Fuzzy Hash: 083169725047449BE7309B20CD05BEB77D4AB80318F104A2EF9D0A33C2DBBE9548D75A

Function 00401822 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401827

Part of subcall function 00405F3C: __EH_prolog.LIBCMT ref: 00405F41
Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FA4
Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FB0
Part of subcall function 00405F3C: _memset.LIBCMT ref: 00405FCE

Part of subcall function 0040B8E3: __EH_prolog.LIBCMT ref: 0040B8E8

_memset.LIBCMT ref: 0040196A
_memset.LIBCMT ref: 00401979
_memset.LIBCMT ref: 00401988

Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4

Part of subcall function 0040A026: __EH_prolog.LIBCMT ref: 0040A02B

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset$H_prolog$_malloc
String ID:
API String ID: 4233843809-0
Opcode ID: 89f10ec8c43f5c59ed1e48a3837198038f2aefdd0a2d009fb04471144bad9c18
Instruction ID: 211b101a5e2dbba32f2c8dae62910ed897794103f7d8a7f2ed724c9505602145
Opcode Fuzzy Hash: 89f10ec8c43f5c59ed1e48a3837198038f2aefdd0a2d009fb04471144bad9c18
Instruction Fuzzy Hash: 865127B1445F809EC321DF7988916D7FFE0AF29314F84496E91FE93282D7352658CB29

Function 00413CE8 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413CED
_memset.LIBCMT ref: 00413D11
_memset.LIBCMT ref: 00413D8D
_malloc.LIBCMT ref: 00413DC0

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset$H_prolog_malloc
String ID:
API String ID: 1600808285-0
Opcode ID: f9e7b2a6a83c73fc1ba99619ebe61da21776ee40c69ad0e57b9b97bafc6a76b5
Instruction ID: 702ce421a693160a9893d7f58a622c69960126b9ff2eeb296b605b135dd4a1ff
Opcode Fuzzy Hash: f9e7b2a6a83c73fc1ba99619ebe61da21776ee40c69ad0e57b9b97bafc6a76b5
Instruction Fuzzy Hash: F831D4B1E01215ABDB14AF65D9057EB76A8FF14319F10013FE105E7281E7789E9087ED

Function 00408CA0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,004335AC,?,00000000,?,?,00408EB0,?,00000000,?,?,00000000), ref: 00408CB1
ReadFile.KERNELBASE(?,?,?,00000000,00000000,004335AC,?,00000000,?,?,00408EB0,?,00000000,?,?,00000000), ref: 00408CC9
GetLastError.KERNEL32(?,00408EB0,?,00000000,?,?,00000000), ref: 00408D01
GetLastError.KERNEL32(?,00408EB0,?,00000000,?,?,00000000), ref: 00408D1C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: c1fed62a9ea2a8515d50b02984c21f09fd940ae1629289a4c1ded04f954c3d6f
Instruction ID: b149f771e66fe820b49a3db0cdc04a66bbf6f60059da98a6e892905e95da3d99
Opcode Fuzzy Hash: c1fed62a9ea2a8515d50b02984c21f09fd940ae1629289a4c1ded04f954c3d6f
Instruction Fuzzy Hash: B411A734504608EFEB205B50DA4096A37A8FF71374B10863FE996A52D1DE3DCD41DF2A

Function 004076AA Relevance: 6.0, APIs: 2, Strings: 1, Instructions: 792COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004076AF

Part of subcall function 00418B3D: _wcscpy.LIBCMT ref: 00418C26

_memcmp.LIBCMT ref: 00407ABB

Strings

E, xrefs: 0040808E

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog_memcmp_wcscpy
String ID: E
API String ID: 1926841707-3568589458
Opcode ID: 196e278f7dddb126d2dbccce5fe2abb71f5a872f6c9e6e354283e500f103bc2c
Instruction ID: c8680630b07ceb330da05956c27536b96a03d31217007f6de18683c0289c3294
Opcode Fuzzy Hash: 196e278f7dddb126d2dbccce5fe2abb71f5a872f6c9e6e354283e500f103bc2c
Instruction Fuzzy Hash: 4872B870D086849EEF25DB64C844BEA7BA55F05304F0840FFE94A6B2D2C77D7984CB6A

Function 0040D116 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D127
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040D138
TranslateMessage.USER32(?), ref: 0040D142
DispatchMessageW.USER32(?), ref: 0040D14C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: db1d2709ee26d26a19af258b04a512226032370801fdef34d6f208b0e00134af
Instruction ID: 62915b0a08277243b8fe4fd8ce30adb6e130eab43b2b780e39f86cd7d7c3188f
Opcode Fuzzy Hash: db1d2709ee26d26a19af258b04a512226032370801fdef34d6f208b0e00134af
Instruction Fuzzy Hash: 9FE0ED72E0112AA7CB20ABE19C0CDDB7F6CEE062517404021BD05E2015D638D116C7F5

Function 0040820B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408210

Part of subcall function 00401822: __EH_prolog.LIBCMT ref: 00401827
Part of subcall function 00401822: _memset.LIBCMT ref: 0040196A
Part of subcall function 00401822: _memset.LIBCMT ref: 00401979
Part of subcall function 00401822: _memset.LIBCMT ref: 00401988

Part of subcall function 00401417: __EH_prolog.LIBCMT ref: 0040141C

_wcscpy.LIBCMT ref: 004082AF

Strings

rar, xrefs: 00408262

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog_memset$_wcscpy
String ID: rar
API String ID: 2876264062-1792618458
Opcode ID: d8064b72c640e36a82a0b68421302acdf3e8c056939b4e9f8210efc5c70c758b
Instruction ID: 75000dcce843433d4275637ef0618472c828e59e125cdaf0ff5f97d994d1ab7f
Opcode Fuzzy Hash: d8064b72c640e36a82a0b68421302acdf3e8c056939b4e9f8210efc5c70c758b
Instruction Fuzzy Hash: 3D41A4319002589EDB24DB50C955BEA77B8AB14304F4448FFE489B3182DB796FC8CB29

Function 00411254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_000111DD,?,00000000,?), ref: 00411278
SetThreadPriority.KERNEL32(?,00000000,?,?,004112E4,-00000108,00404FE0), ref: 004112BF

Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441

Strings

CreateThread failed, xrefs: 00411284

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 3061c48cbf7df5314d67cb84a6f78a2ab06f9f7c5b99b3b88179035cff10f0ee
Instruction ID: 964536ca15170dd961cb9332306e5bd8003a90b1d1e662a5f33448d65f1dc838
Opcode Fuzzy Hash: 3061c48cbf7df5314d67cb84a6f78a2ab06f9f7c5b99b3b88179035cff10f0ee
Instruction Fuzzy Hash: 4B01A2753453057BD3215F55AC46BB673A9EB44766F20043FFB82E11D0DAB4A8608A2D

Function 004126F0 Relevance: 4.6, APIs: 3, Instructions: 110COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041276B
_malloc.LIBCMT ref: 00412785

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

_memset.LIBCMT ref: 004127D8

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AllocateException@8HeapThrow_malloc_memset
String ID:
API String ID: 3965744532-0
Opcode ID: aecc41870ac87d010834a5c488dea66f27f1e28d46d9c5665e17219ed6a13b4d
Instruction ID: 1154a5c9599e5537b836a1002f89e902606abe80a59ae87693d08389c363c3d7
Opcode Fuzzy Hash: aecc41870ac87d010834a5c488dea66f27f1e28d46d9c5665e17219ed6a13b4d
Instruction Fuzzy Hash: 05410470905745ABEB25EE38D6C47DBB7D0AF14304F20482FE5A6D3281C7B8A9E4C718

Function 00408AA9 Relevance: 4.6, APIs: 3, Instructions: 104fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,0040BB41,?,?,00000000,?,?,004124ED,?,?,?,00000001,?), ref: 00408AC5
WriteFile.KERNEL32(00000001,?,00004000,?,00000000,?,?,0040BB41,?,?,00000000,?,?,004124ED,?,?), ref: 00408B01
WriteFile.KERNELBASE(00000001,?,00000000,?,00000000,?,?,?,?,?,0040BB41,?,?,00000000,?,?), ref: 00408B2D

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 2630e5a33cfd0af18d09aa74bbfd8346207367a51011a650ef626fa881f46d74
Instruction ID: f20fcf70e75a5c6d44a32b1c4255a65a5bf54a4d93884812af3801fc7a684339
Opcode Fuzzy Hash: 2630e5a33cfd0af18d09aa74bbfd8346207367a51011a650ef626fa881f46d74
Instruction Fuzzy Hash: 9B31C371300204AFDB209F65CA44BAB77A9EB94310F04813FF996E72C1DB78A905DF29

Function 004092C9 Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 0040A08A: _wcslen.LIBCMT ref: 0040A090

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,?,?,?,0040941E,?,00000001,00000000,?,?,?,?,?), ref: 004092F9
CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000800,00000000,00000000,?,?,?,0040941E,?,00000001,00000000,?,?), ref: 00409328
GetLastError.KERNEL32(00000000,00000000,?,?,?,0040941E,?,00000001,00000000,?,?,?,?,?,?,004067A5), ref: 00409341

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: e440fb91986ed667ecea05b8623b67f22d0563812c7c3dc4cd5ad5119d8de580
Instruction ID: 5cfd1deac55777c6f3d5c0bdf32a3cf990456680eccb4e8d5c114054f7fd3324
Opcode Fuzzy Hash: e440fb91986ed667ecea05b8623b67f22d0563812c7c3dc4cd5ad5119d8de580
Instruction Fuzzy Hash: DD01C031100204A5DB216A664C42BBB37589B4EB84F88447BFD41F62D2CB7C9C92D97E

Function 0040E2D7 Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E2DC
_wcscpy.LIBCMT ref: 0040E2FC

Part of subcall function 00410D16: _wcslen.LIBCMT ref: 00410D2C
Part of subcall function 00410D16: _wcscpy.LIBCMT ref: 00410D42

_wcscpy.LIBCMT ref: 0040E31A

Part of subcall function 00407150: __EH_prolog.LIBCMT ref: 00407155

Part of subcall function 00407074: __EH_prolog.LIBCMT ref: 00407079

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog_wcscpy$_wcslen
String ID:
API String ID: 2067596392-0
Opcode ID: aa5c2ab907567c22763022a3e14260f934ba444c4f603d8b7408ac10fc9ad921
Instruction ID: 34baa23ef678cdf00172776f2fc4f6da7b22e3ce89fab18911e310d79256e735
Opcode Fuzzy Hash: aa5c2ab907567c22763022a3e14260f934ba444c4f603d8b7408ac10fc9ad921
Instruction Fuzzy Hash: E7112675906294AED705EBA4AC427CD7BA0DB16318F1040AFF444A2292CFB91A90DB6E

Function 00401768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040176D

Strings

CMT, xrefs: 004017D6

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: c5dcd452fd1e4eeec7eacad65d6409f1913b512c17b790326e9b6827e8618ada
Instruction ID: 903a9e83ebfadd1395375551f57b58f4375dbb7200b7f1b09ca9293e13445996
Opcode Fuzzy Hash: c5dcd452fd1e4eeec7eacad65d6409f1913b512c17b790326e9b6827e8618ada
Instruction Fuzzy Hash: C5210275600144AFCB05EF6488908AEBBB9EF44314B00C06FF866773E2CB389E01DB68

Function 00401106 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 0040115B

Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 0040112C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded
API String ID: 620378156-979119166
Opcode ID: dce6db5a0bfaf73c63961f3884acddfac192c2d93569977231d8791de2d42667
Instruction ID: b98885df3920ffeceb53ce79d7a953b92e5ea0a83a6506546a83ec3ee512e677
Opcode Fuzzy Hash: dce6db5a0bfaf73c63961f3884acddfac192c2d93569977231d8791de2d42667
Instruction Fuzzy Hash: 8D014F353006056FD728EA25D89193BB3E9EB88764310483FF99B97791EA39BC548718

Function 00401417 Relevance: 3.3, APIs: 2, Instructions: 264COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040141C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8d4131a6c0ab78f129bbdc20b8640a8360fcb8037d97d2b6f97067a7eefdc9b
Instruction ID: 1df30631c7f2331ab9bb659be56b51083ca38efb3ea41a431c6c341c2f7f2518
Opcode Fuzzy Hash: e8d4131a6c0ab78f129bbdc20b8640a8360fcb8037d97d2b6f97067a7eefdc9b
Instruction Fuzzy Hash: D7A1A370904B44AFDB31DB38C8447ABB7E5AB45304F14482FE4A7A72E1D779A881CB59

Function 00408923 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,?,?,-00000011,?,00408777,?,-00000011,?), ref: 004089A5
CreateFileW.KERNEL32(?,000000FF,?,00000000,00000002,00000000,00000000,?,?,00000800,?,?,?,-00000011,?,00408777), ref: 004089DA

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a074d9b34406725a99dd7798f6dc6781e4ed09d04832e0e73d262d8c08033346
Instruction ID: 01d84b190ee352a3a297c1effa4f932d2cea621e1ee0f9c6dc0f58f94aa457de
Opcode Fuzzy Hash: a074d9b34406725a99dd7798f6dc6781e4ed09d04832e0e73d262d8c08033346
Instruction Fuzzy Hash: F621E6B1000709AFDB20AF28CD41AEA7BA9EB04324F00853EF5D5972D1CA799D859B59

Function 004012EA Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004012EF

Part of subcall function 00402C8B: __EH_prolog.LIBCMT ref: 00402C90

_wcslen.LIBCMT ref: 00401391

Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
Part of subcall function 0041A506: RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_wcslen
String ID:
API String ID: 2367413355-0
Opcode ID: 11f42ef8cdaa0769df478fd29a00db720605d229e9827037435442823eb81be9
Instruction ID: 0a298500d8bcfa7ff7c3c7c798daa7998fe1fc2396f24876ea38c2992963b511
Opcode Fuzzy Hash: 11f42ef8cdaa0769df478fd29a00db720605d229e9827037435442823eb81be9
Instruction Fuzzy Hash: 43218131C04219AADF11AF95D8019EFBBBAEF44704F10402FF815B26B1D7791951DB99

Function 0040E75F Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E764

Part of subcall function 00401822: __EH_prolog.LIBCMT ref: 00401827
Part of subcall function 00401822: _memset.LIBCMT ref: 0040196A
Part of subcall function 00401822: _memset.LIBCMT ref: 00401979
Part of subcall function 00401822: _memset.LIBCMT ref: 00401988

Part of subcall function 00401768: __EH_prolog.LIBCMT ref: 0040176D

_malloc.LIBCMT ref: 0040E7CC

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog_memset$AllocateHeap_malloc
String ID:
API String ID: 47157355-0
Opcode ID: 8a0e236cf4d95a6c185fe36cf45249ef349d68e2c77d2ed9baa34b65b141d772
Instruction ID: 028989472a53044f7525bc0779393b56fb6d8ddec0b6eee1d5d0b7402cf9aefd
Opcode Fuzzy Hash: 8a0e236cf4d95a6c185fe36cf45249ef349d68e2c77d2ed9baa34b65b141d772
Instruction Fuzzy Hash: 09217F72800259EFCF15EFA5D8819EEB7B4BF08308F10456FE006B3291E7385A44DB69

Function 00408BAE Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408BE1
GetLastError.KERNEL32(?,?), ref: 00408BEE

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 401041f812e38b2c9cc7bc658f647880eeddc778264b755613b9ad4916800595
Instruction ID: 02e03e75e993c9a8a945b97f90e28c3a97864ede8bf9f3e31abc9cd0b64ad5c5
Opcode Fuzzy Hash: 401041f812e38b2c9cc7bc658f647880eeddc778264b755613b9ad4916800595
Instruction Fuzzy Hash: 540145B2706204BFE7209B788D458AB36ADCB84334B14423FB192E33C1EA749D00527D

Function 0040C3BF Relevance: 3.0, APIs: 2, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C410
LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C422

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 72945bf23e6ae9cf9b0fab0a5a9e43b8bd420b2efeca12c7a5d03f8341522d8c
Instruction ID: edfc175873420c56a2918f30daf07abd917a54f8fc7c105ac48efc03a3cacc81
Opcode Fuzzy Hash: 72945bf23e6ae9cf9b0fab0a5a9e43b8bd420b2efeca12c7a5d03f8341522d8c
Instruction Fuzzy Hash: 200186722012107FD6209F19AC85F577BEDEB99351F10543AB900D32A1D6359C01876C

Function 00408F4B Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000001,00000000,?,?,?,?,00408FD1,00000000,00000000,00000000,?,00407DE2,?,?), ref: 00408F9E
GetLastError.KERNEL32(00408FD1,00000000,00000000,00000000,?,00407DE2,?,?,?,?,?,?,?,?), ref: 00408FAA

Part of subcall function 00408E03: __EH_prolog.LIBCMT ref: 00408E08

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: fcb39ab4431aa7e293366899b2db99d4a95afe2178fb6d1211a042b2fb6e45d7
Instruction ID: 31f7e80921147255a447777291f97898e209bd40052f61b908ef1a5d0e3b9beb
Opcode Fuzzy Hash: fcb39ab4431aa7e293366899b2db99d4a95afe2178fb6d1211a042b2fb6e45d7
Instruction Fuzzy Hash: 1E019631200306DBCF248F64CD046AE776ABF813A5F14463EF8A1A22D0DB78D951DA55

Function 0041A89A Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0041A8B4

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

__CxxThrowException@8.LIBCMT ref: 0041A8F9

Part of subcall function 0041216A: std::exception::exception.LIBCMT ref: 00412174

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
String ID:
API String ID: 1264268182-0
Opcode ID: 652451197443050397a994e0f1a437ce7b6bc5e6c303dc83bd53091e5d1b5587
Instruction ID: 42064790ed8d2a037bfba99cbedd4ff18ff19c5b52db1d8e26b3e688ef0b8114
Opcode Fuzzy Hash: 652451197443050397a994e0f1a437ce7b6bc5e6c303dc83bd53091e5d1b5587
Instruction Fuzzy Hash: 64F0E23160021972CB047B22ED46ACE37586F01728B10403BFC1199192DFAC9ADA919E

Function 004090E4 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,-00000011,?,0040877F,?,?,00000001,?,?,?,?,?,?,00000000,?), ref: 004090FC
DeleteFileW.KERNEL32(?,?,?,00000800,?,0040877F,?,?,00000001,?,?,?,?,?,?,00000000), ref: 00409126

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0a42f7c6465a65df2585c125a2f12a68c0d7bb240ddda169d7c29578124ac562
Instruction ID: c332a15ca0b0e5e82477794df9822c7aeed54c7470201c7e9f38434531037f1b
Opcode Fuzzy Hash: 0a42f7c6465a65df2585c125a2f12a68c0d7bb240ddda169d7c29578124ac562
Instruction Fuzzy Hash: DBE02B3114122AA7EB00A620DC01FDA3B5C9F043C0F0440737C80E71D1DB75DCE0D9A4

Function 00409041 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,004092AE,?,00406796,?,?,?,?), ref: 00409059
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,004092AE,?,00406796,?,?,?,?), ref: 00409081

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b25c0f1027ae8764d85bcc1b21548e8f0eb716d18d4362393a4ff3fac8f95358
Instruction ID: f0aa2148c7acefeba2e85b7bc3a11c2245577506fd5686bf0be3bfe97b3e7ecd
Opcode Fuzzy Hash: b25c0f1027ae8764d85bcc1b21548e8f0eb716d18d4362393a4ff3fac8f95358
Instruction Fuzzy Hash: BBE092326101186ACB10A669DC00BDE379D9BC83E5F0401B3BE44E32D5DAB4DD95CBA5

Function 0040DDFF Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040DE2D
SetDlgItemTextW.USER32(00000065,?), ref: 0040DE44

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 8034b9b9aa660211ead63cdf03b6a57d34fff27c13a9ae0071d7a28958d0b1e9
Instruction ID: 335ddef7e6713e4d0d4f603cdcadd61df7388e1f4a4116fbf7552c9c9eb2c210
Opcode Fuzzy Hash: 8034b9b9aa660211ead63cdf03b6a57d34fff27c13a9ae0071d7a28958d0b1e9
Instruction Fuzzy Hash: 02F0EC75A0420866E711B7A1CC07F9B36589B09789F04047FB601760F3D9795564479A

Function 00410EDB Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,00410F17,00409FF4), ref: 00410EE8
GetProcessAffinityMask.KERNEL32(00000000), ref: 00410EEF

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 5b6efae98f4fd143c9c11739b7a9d49426725563ed325c59bf560736ad01bde8
Instruction ID: ae3045e16ef29d64dcafac8e7d0c22bbd438388315c71f77e1501110187c073f
Opcode Fuzzy Hash: 5b6efae98f4fd143c9c11739b7a9d49426725563ed325c59bf560736ad01bde8
Instruction Fuzzy Hash: 86E08672A1020AA78F2897A0CD4A9EF32ACEB01215700087BE503C1640EAF8D5D24629

Function 004060C9 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 004060DE
ShowWindow.USER32(00000000), ref: 004060E5

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 76029219059209f4090a36f07538af165f69a2de4b0c3b600f66da5fa765a026
Instruction ID: 00e924dde3bcd55588ca107b376b403c6fb897f844ebcc5e5070703d20151260
Opcode Fuzzy Hash: 76029219059209f4090a36f07538af165f69a2de4b0c3b600f66da5fa765a026
Instruction Fuzzy Hash: E7C01232258241FFCB020BB0DC09E2ABBA8ABA5312F10CD68B4A5C1160C23AC024DB22

Function 00402C8B Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402C90

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2adb2e46dfa9c528ebc340105a31a2d546adb33428178d20608c313c98083781
Instruction ID: d2613427887af626ac15b725df06f6c4975e9b849f4698f9cbfae21a5c634ed1
Opcode Fuzzy Hash: 2adb2e46dfa9c528ebc340105a31a2d546adb33428178d20608c313c98083781
Instruction Fuzzy Hash: 8E615870505B40AADB34DB39C999BEBB7E4AF51304F00456FF4AB622C2CBBC2944DB59

Function 0040935F Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004093C6

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: eec277942e391c224009335c7c4fdbf9ccf01f1ad50b69e55fa7bc55e694a795
Instruction ID: d4505bb1f71f0a7630b1187c5dc073957316d7994076f763c5609016dbc7fb68
Opcode Fuzzy Hash: eec277942e391c224009335c7c4fdbf9ccf01f1ad50b69e55fa7bc55e694a795
Instruction Fuzzy Hash: 1821F9705412146ADF209BA5C8817EF73A8AF09744F104067FD84E71C2E6BC9DC58799

Function 004071DF Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004071E4

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 64ae09b8b7d6d911e9fbb323825e8f5681d7d5dd0d1dbfba22af46c2c3ac0037
Instruction ID: 0e7476b061c64c38a033d28293548f621ad6c4fedd1d6d7b32e1dff298444af0
Opcode Fuzzy Hash: 64ae09b8b7d6d911e9fbb323825e8f5681d7d5dd0d1dbfba22af46c2c3ac0037
Instruction Fuzzy Hash: F611E336D04216A7CB21AE69D881BAF7774AB84724F00427FF910772C0C77CAD4186AE

Function 004155EF Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004155F4

Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
Part of subcall function 0041A506: RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ErrorFreeH_prologHeapLast___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 2675452811-0
Opcode ID: 8497dd6851e15abeade78bc1a96ba9a899c127afdb4d8d4cff6b23ee0cc24447
Instruction ID: af90cb06349abb904c7e908c808b67ca80216b7905dff4050bf1b7fec03d4104
Opcode Fuzzy Hash: 8497dd6851e15abeade78bc1a96ba9a899c127afdb4d8d4cff6b23ee0cc24447
Instruction Fuzzy Hash: DA117871210740DAC325FF76DA636DBB7B0AF24304F40091EA06B525D2EFB8BA44CA19

Function 00407150 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407155

Part of subcall function 0040B8E3: __EH_prolog.LIBCMT ref: 0040B8E8

Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4

Part of subcall function 0041768A: __EH_prolog.LIBCMT ref: 0041768F

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: f4a0015dd81c6367a1e3723969d7ed7b71eec4aecea33b784c0cc5c9c2fc540f
Instruction ID: 4fa22713ff1b1cd4263d7298948381a35fc14f9b7bb01a12f51cc5b8ed2a70ee
Opcode Fuzzy Hash: f4a0015dd81c6367a1e3723969d7ed7b71eec4aecea33b784c0cc5c9c2fc540f
Instruction Fuzzy Hash: B401ADB2A107009AC7109FAAC44029AF7E9FF94310F00842FE459D3390D7B8A9408B59

Function 00408E03 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408E08

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 863cc4a6e1e3a3a4d87e432309fddcfd3b8ff728f9b2f9572ac3dc0eeb2e4462
Instruction ID: bd93042bfc1aad2116d0877f42dabf9818625296a81febac24436190ec2c14aa
Opcode Fuzzy Hash: 863cc4a6e1e3a3a4d87e432309fddcfd3b8ff728f9b2f9572ac3dc0eeb2e4462
Instruction Fuzzy Hash: 33F04F35B00214AFD7149F58C889FADB7B5EF48724F208159E912A73D1CB749D008A54

Function 00405512 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405517

Part of subcall function 0040A026: __EH_prolog.LIBCMT ref: 0040A02B

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8d7273e43c00e3d352773117abe9a80c711290f191c18f656fba03e9df2d1900
Instruction ID: fa77f21fc7194b1e08a14eb3a2c561e3cb85337c9bb77c22dcaa42305da5d14c
Opcode Fuzzy Hash: 8d7273e43c00e3d352773117abe9a80c711290f191c18f656fba03e9df2d1900
Instruction Fuzzy Hash: A2013130901694DAD715EBA5D1157DDB7B49F14308F00449FE456532C3DFF82B84CB66

Function 004096BC Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0A4: _wcspbrk.LIBCMT ref: 0040A0B5

FindClose.KERNELBASE(00000000,00000800,000000FF,?,?,?,?,00408411,?,?,00000000,?,00000800), ref: 004096EC

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CloseFind_wcspbrk
String ID:
API String ID: 2190230203-0
Opcode ID: 85123c6e94d2e517bbdffd63dea6bf8ab785228859dafa86eb4c7b41f0ab578b
Instruction ID: c5db38677187ea9b8dec244fb3c8af9ff7d0a6647eff614e001a313c4cd0766c
Opcode Fuzzy Hash: 85123c6e94d2e517bbdffd63dea6bf8ab785228859dafa86eb4c7b41f0ab578b
Instruction Fuzzy Hash: 21F09635005380ABCA225B658404AC77B945F55365F048A1EB1F9621D7C279545ADB26

Function 00407074 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407079

Part of subcall function 004155EF: __EH_prolog.LIBCMT ref: 004155F4

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b7d3c8e010c571e5a6642b72fc2b2d393aaf48cfcd88e5119046994b0af1dfd5
Instruction ID: da238740c98ae75ebc3f5927faf798116ad114c2e9bc9b884e51ec1b39bdab83
Opcode Fuzzy Hash: b7d3c8e010c571e5a6642b72fc2b2d393aaf48cfcd88e5119046994b0af1dfd5
Instruction Fuzzy Hash: D1E06D32A11610ABC715AB29C4066EEF3B9EFC0728F10422FA062636C1DBB86D418659

Function 00410DDE Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00410E13

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 99114e7ac6e4293e68323f01352a3d081b9a398302f12d6f006bb62c0eb9cb63
Instruction ID: ce8ef4de1523c5d0242b00cb845f3d850d1a93a8e5a83f46045a12d46b5ed054
Opcode Fuzzy Hash: 99114e7ac6e4293e68323f01352a3d081b9a398302f12d6f006bb62c0eb9cb63
Instruction Fuzzy Hash: 62D0C23170015022CA213B2B2815BEE56194F81724F0900BFB501622E38EAC09C281EE

Function 00409720 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00409741

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: c61d5f3dc6c1f9b97ffe444c65296dc1c5881d1e0fbf0653a527c25b506bb31f
Instruction ID: 57c48ace6bef99692c10c7cc37c4410ce12e8001caaa4568d5ee7d388360cf58
Opcode Fuzzy Hash: c61d5f3dc6c1f9b97ffe444c65296dc1c5881d1e0fbf0653a527c25b506bb31f
Instruction Fuzzy Hash: D7E0CD729053406AD371751D9C04F579AD85B95725F14C82FB089A32C3C1BC5C51C759

Function 0041EDF7 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041EE0C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 6c78c704c61e396e770c5c9d5bf39bc32bfab303bf8d18d204e2a82309729daa
Instruction ID: eb53d8fa6b9c670d76401f9b6e634384cdf5b6bc28e7f080834842f41bea832e
Opcode Fuzzy Hash: 6c78c704c61e396e770c5c9d5bf39bc32bfab303bf8d18d204e2a82309729daa
Instruction Fuzzy Hash: E6D05E366503485ADB106F716C09B763BDCD384396F104436BC1DC6150F775C5A09A48

Function 00408C5A Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00408CDA,?,00408EB0,?,00000000,?,?,00000000), ref: 00408C66

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b9077224b9f88db5cd0ce6d94ac7233058a1c10921077028cad7c3ce69d3e2a2
Instruction ID: 2361e1c995e4a541e26ad64c94d2af3b89e31d8e4072a4a2db2c19a8efa4df55
Opcode Fuzzy Hash: b9077224b9f88db5cd0ce6d94ac7233058a1c10921077028cad7c3ce69d3e2a2
Instruction Fuzzy Hash: 8EC0127151610056DF2046385A8845B376687433667789FF9E071D12E5CB3ECC56B025

Function 0040D513 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0040D530

Part of subcall function 0040D116: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D127
Part of subcall function 0040D116: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040D138
Part of subcall function 0040D116: TranslateMessage.USER32(?), ref: 0040D142
Part of subcall function 0040D116: DispatchMessageW.USER32(?), ref: 0040D14C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 7040c51d5953534f53b945be8071fa726febfab1a70e776a765f2f75df90e843
Instruction ID: 888b2871e718dea131dfcf0ec1cbc21fe8f041a13ed789b986bd41985b0bed4c
Opcode Fuzzy Hash: 7040c51d5953534f53b945be8071fa726febfab1a70e776a765f2f75df90e843
Instruction Fuzzy Hash: FDC01235240300ABE7117B50DD07F1A3A62BB88B09F808039BA81380F2CEB648369A0A

Function 00408C47 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,004080D7,?,?,?,?,?,?), ref: 00408C4A

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 372b206049e22359e890f019f69c17f88631756899d3b8a56b0e056d033f7bf1
Instruction ID: 463f2a0b6f7528456a39aa395305c1415068e572747894341c9f749ccc5f34b3
Opcode Fuzzy Hash: 372b206049e22359e890f019f69c17f88631756899d3b8a56b0e056d033f7bf1
Instruction Fuzzy Hash: 80B012703E0006878E102B30CD084143910D71130630041B0600AC6061CB13C0135611

Function 00419C88 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0040D8E5,0042A65C,00000000,?,00000006,?,00000800), ref: 00419C8C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 35c8f440b0c787f752f8f5ff34d68e699b4f54a7e8ae052c3817328c3539a25c
Instruction ID: 2a7281b05ebb75ae791a00df68b116ffeccc810d55834c007acaed3bb23dd98c
Opcode Fuzzy Hash: 35c8f440b0c787f752f8f5ff34d68e699b4f54a7e8ae052c3817328c3539a25c
Instruction Fuzzy Hash: 50A012302940064F8A100B30CC0D82577506760702F0096307002C10A4CB304430A505

Function 00408A32 Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,76F920B0,00000000,0040868D,?,?,?,?,00407427,?,00000000,?,00000800,?,?,?), ref: 00408A4D

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b21f32aa194ba9df83e0161a33b0e827325d82f6e4b9bdb228d687f297159138
Instruction ID: ad6283f58ebf58fc73997c28fab75cfea7daa8eae0e70c9973603df5d86841c1
Opcode Fuzzy Hash: b21f32aa194ba9df83e0161a33b0e827325d82f6e4b9bdb228d687f297159138
Instruction Fuzzy Hash: 55F027706427044FD73056384A4879333D85B16331F049B2FD8E2A3BC0CB7898894E64

Non-executed Functions

Function 0040DE5E Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 291windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0040DED8
DestroyIcon.USER32(00000000), ref: 0040DEE3
EndDialog.USER32(?,00000006), ref: 0040DEEB

Strings

%s %s %s, xrefs: 0040E003, 0040E124
REPLACEFILEDLG, xrefs: 0040DE76
%s %s, xrefs: 0040E07C, 0040E183

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: DestroyDialogIconItemMessageSend
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3309745630-1840816070
Opcode ID: 16eeae55bdc9405558cec747ebfcc07caac1c70e605718ffa483f40035c658e6
Instruction ID: 1ca02d43f13477766b0e0b2ecc80fe6690186a1d560daa565d76ee57e1f32e2a
Opcode Fuzzy Hash: 16eeae55bdc9405558cec747ebfcc07caac1c70e605718ffa483f40035c658e6
Instruction Fuzzy Hash: 56A18272A4021CABEB21DFE0CC85FEF776DEB04704F440476BA05E60D1D6789E5A8B65

Function 0040690A Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 294fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040690F
_wcslen.LIBCMT ref: 00406978
_wcscpy.LIBCMT ref: 004069E4
_wcslen.LIBCMT ref: 004069F0

Part of subcall function 00406553: GetCurrentProcess.KERNEL32(00000020,?), ref: 00406562
Part of subcall function 00406553: OpenProcessToken.ADVAPI32(00000000), ref: 00406569
Part of subcall function 00406553: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406589
Part of subcall function 00406553: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040659E
Part of subcall function 00406553: GetLastError.KERNEL32 ref: 004065A8
Part of subcall function 00406553: CloseHandle.KERNEL32(?), ref: 004065B7

Part of subcall function 0040935F: _wcsncpy.LIBCMT ref: 004093C6

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000001), ref: 00406A7B
CloseHandle.KERNEL32(00000000), ref: 00406A8C
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000001), ref: 00406A99
_wcscpy.LIBCMT ref: 00406AE5
_wcscpy.LIBCMT ref: 00406B09
_wcscpy.LIBCMT ref: 00406B55
_wcscpy.LIBCMT ref: 00406B7E
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406BA4
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00406BCF
CloseHandle.KERNEL32(00000000), ref: 00406BDA
GetLastError.KERNEL32 ref: 00406BEC
RemoveDirectoryW.KERNEL32(00000000), ref: 00406C21
DeleteFileW.KERNEL32(00000000), ref: 00406C29

Strings

UNC\, xrefs: 004069B5
SeCreateSymbolicLinkPrivilege, xrefs: 00406931
\??\, xrefs: 00406993
SeRestorePrivilege, xrefs: 00406927

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscpy$CloseCreateFileHandle$DirectoryErrorLastProcessToken_wcslen$AdjustControlCurrentDeleteDeviceH_prologLookupOpenPrivilegePrivilegesRemoveValue_wcsncpy
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 295717069-3508440684
Opcode ID: 61ce2a1e948bc651cc5c71645e7a660e15ad332992f425926efc10dd858bd714
Instruction ID: 0b044a0677013c3ee0dedeb9ad72db73be6c8eb7e300feb6a7d55a674be6f19f
Opcode Fuzzy Hash: 61ce2a1e948bc651cc5c71645e7a660e15ad332992f425926efc10dd858bd714
Instruction Fuzzy Hash: 56B1B471A00215AFDF21EF64CC45BDA77B8EF04304F00446AF95AF7281D778AAA4CB69

Function 004106F4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

__byteswap_ulong.LIBCMT ref: 00410726
__byteswap_ulong.LIBCMT ref: 00410739
__byteswap_ulong.LIBCMT ref: 0041074C
__byteswap_ulong.LIBCMT ref: 0041075F
__byteswap_ulong.LIBCMT ref: 00410772
__byteswap_ulong.LIBCMT ref: 00410785
__byteswap_ulong.LIBCMT ref: 00410798
__byteswap_ulong.LIBCMT ref: 004107AB
__byteswap_ulong.LIBCMT ref: 004107BE
__byteswap_ulong.LIBCMT ref: 004107D1
__byteswap_ulong.LIBCMT ref: 004107E4
__byteswap_ulong.LIBCMT ref: 004107F7
__byteswap_ulong.LIBCMT ref: 0041080C
__byteswap_ulong.LIBCMT ref: 0041081F
__byteswap_ulong.LIBCMT ref: 00410832
__byteswap_ulong.LIBCMT ref: 00410845

Strings

@Z@, xrefs: 00410928, 00410930, 00410944, 00410961

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __byteswap_ulong
String ID: @Z@
API String ID: 2309504477-3109265564
Opcode ID: 3d995ba0cc5bd3afd1912a8f52df84b91350d78957cf3c3d8552aa4fe151a300
Instruction ID: 1dc3a99616fea8f09d0a2898b21a56a39af3494018e3c7a499627515aa5f83aa
Opcode Fuzzy Hash: 3d995ba0cc5bd3afd1912a8f52df84b91350d78957cf3c3d8552aa4fe151a300
Instruction Fuzzy Hash: 869119B1A006148FCB24DF5AC881A9EB7F1FF48308F1445AEE59AE7721D734E9948F48

Function 0040CEB6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CF0E,00000020,?,?,00405D3C,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CEC4
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CEDD
GetProcAddress.KERNEL32(00438800,CryptUnprotectMemory), ref: 0040CEE9

Strings

CryptProtectMemory, xrefs: 0040CED7
Crypt32.dll, xrefs: 0040CEBF
CryptUnprotectMemory, xrefs: 0040CEDF

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2238633743-1753850145
Opcode ID: 5fe6950aaff99067424b8bdf76d8a3167c7df5a56d66711809a8faa92a841fba
Instruction ID: 6e3b8f00ce2f8e0fa430b510b5536735c08c44b91adf59875fbb0715622b898a
Opcode Fuzzy Hash: 5fe6950aaff99067424b8bdf76d8a3167c7df5a56d66711809a8faa92a841fba
Instruction Fuzzy Hash: 7EE092306003119FD7319F79EC44B03BBE89F94B10B14846FE984E3250C6B8D4518B5D

Function 00406553 Relevance: 9.0, APIs: 6, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00406562
OpenProcessToken.ADVAPI32(00000000), ref: 00406569
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406589
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 0040659E
GetLastError.KERNEL32 ref: 004065A8
CloseHandle.KERNEL32(?), ref: 004065B7

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: c4d8732f7f1e2046f43f8b45a71e1742e44d7c33346580acd03521233585be14
Instruction ID: 201d4201c496fcfd48e74424a9b99b2c6b7fcfb09556bcb8571a25bcb240e8ee
Opcode Fuzzy Hash: c4d8732f7f1e2046f43f8b45a71e1742e44d7c33346580acd03521233585be14
Instruction Fuzzy Hash: A0011DB1600209FFDB209FA4DC89EAF7BBCAB04344F401076B902E1255D775CE259A75

Function 00401CC1 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 769COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401CC6
_strlen.LIBCMT ref: 00402237

Part of subcall function 00411B3C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00001FFF,?,?,004022BC,00000000,?,00000800,?,00001FFF,?), ref: 00411B58

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00402393

Strings

CMT, xrefs: 004023B6

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: a938faf7c17183071b0639e51388f91889b5cef4979cfb0538ab3c6a938d128c
Instruction ID: 47e58a6222a9c82a3371e9f2a391d10810198bea5a194d1edf5ea2ede1dda2e7
Opcode Fuzzy Hash: a938faf7c17183071b0639e51388f91889b5cef4979cfb0538ab3c6a938d128c
Instruction Fuzzy Hash: 8B6201709006849FCF25DF64C8947EE7BB1AF14304F0844BEE986BB2D6DB795985CB28

Function 0041E6DE Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00423F3E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423F53
UnhandledExceptionFilter.KERNEL32(0042BA78), ref: 00423F5E
GetCurrentProcess.KERNEL32(C0000409), ref: 00423F7A
TerminateProcess.KERNEL32(00000000), ref: 00423F81

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 4de6ed279e9cf42e89259ac0ebda5d4927e8938d534c68d964197d147836f072
Instruction ID: 77c401cdca4814435c65699ef26cb777055d8c499ed0f7a386f9586c05fd5705
Opcode Fuzzy Hash: 4de6ed279e9cf42e89259ac0ebda5d4927e8938d534c68d964197d147836f072
Instruction Fuzzy Hash: 6F21C0B8A10208DFE710DF25F8496597BA0FB1A315F90117BE90887271EBB5599ECF0E

Function 0040D155 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0040D17B
GetNumberFormatW.KERNEL32(00000400,00000000,?,004300CC,?,?), ref: 0040D1CA

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: fae0c5bc4c9ea969901553f08fe9413b92117c2e4d377c34b7ff725826ea960f
Instruction ID: 2e86bd0250e0b4fef5c8dc12a3830970d19becb9d4c55c3472b337e1343b8b10
Opcode Fuzzy Hash: fae0c5bc4c9ea969901553f08fe9413b92117c2e4d377c34b7ff725826ea960f
Instruction Fuzzy Hash: DB017C35600248AEE710DFA4EC41FAAB7FCEF09714F005426FA04EB1A0D3B89915CB6D

Function 00410178 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

DD, xrefs: 004101FD
<D, xrefs: 004101A8

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: <D$DD
API String ID: 0-3036587789
Opcode ID: a120047ceaa170e9019935171625ae5ad03bfb54992e95746f25c16dbdc0a917
Instruction ID: 59a02f745f793eb532b4d9e305735a670a6f692f985c4356a20c5044c607aa25
Opcode Fuzzy Hash: a120047ceaa170e9019935171625ae5ad03bfb54992e95746f25c16dbdc0a917
Instruction Fuzzy Hash: E8D15D72A0061ACFCF14CF58D884599B3B1FF8C308B2685ADE919AB245D731BA56CF94

Function 00417D78 Relevance: 2.6, APIs: 1, Instructions: 1055COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417DB5

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f2ddf0237e8c887b9397686041efde03e6b7465c6b8aca2acf299e0ee70c85ec
Instruction ID: ca8e397051957a2ab45e24d4035287d6273771f133136d8253d7927585564b75
Opcode Fuzzy Hash: f2ddf0237e8c887b9397686041efde03e6b7465c6b8aca2acf299e0ee70c85ec
Instruction Fuzzy Hash: 5692D5709087859FCB29CF34C4D06E9BBF1AF55308F18C5AED8968B342D738A985CB59

Function 00414946 Relevance: 2.0, APIs: 1, Instructions: 478COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 00414A21

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 19fe713726019c3973d82b14b26a9fc68d02c60563561d4d82d0835d1efeca77
Instruction ID: 2a1397d1efbb1e156a4ddc1088eaf27e515a490876f5f290c2ff2c2445328417
Opcode Fuzzy Hash: 19fe713726019c3973d82b14b26a9fc68d02c60563561d4d82d0835d1efeca77
Instruction Fuzzy Hash: 0B02E5B1A106069BCB1DCF28C5916E9B7E1FF85304F24852ED556CBA85D338F9E1CB88

Function 00413EE3 Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00413F73

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 9c54e9cdedc4d1f5f0a70ee5fbfd421263a38b40d6fcac4ed0c82430486a0b60
Instruction ID: 3562be7dcc5a33f83423fe2ddc28cf6e78eed116dec30ec79901489c8d2199a3
Opcode Fuzzy Hash: 9c54e9cdedc4d1f5f0a70ee5fbfd421263a38b40d6fcac4ed0c82430486a0b60
Instruction Fuzzy Hash: CBA11472A00208EBDB04DF65C581BED77B5AB94304F24447FE942EB282C77C9AC2DB59

Function 00419BB0 Relevance: 1.6, APIs: 1, Instructions: 89comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0042B1F8,00000000,00000001,0042B148,?), ref: 00419BC9

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 291608a549582a43ab036b31c95ed53b806bcf03129be81fab9f556b712dc9f9
Instruction ID: e9337f94160ec10d5a134cda80235c1f61728acff05639409476ed3799cc72ed
Opcode Fuzzy Hash: 291608a549582a43ab036b31c95ed53b806bcf03129be81fab9f556b712dc9f9
Instruction Fuzzy Hash: FC311875A00209EFCF04CFA0C898DAA7BB9EF49304B204499F942DB250D739EE51DBA4

Function 0040CA52 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040CAEC

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f170c41e67568dbb41c50a43ec108573c349a1076046e87b2a713adcc681154b
Instruction ID: e1f0199fda650a5869103b9083c5b7a650503f912fa59dbaeb4dd54c60283149
Opcode Fuzzy Hash: f170c41e67568dbb41c50a43ec108573c349a1076046e87b2a713adcc681154b
Instruction Fuzzy Hash: 0721F672704209DFD724CF28D4817AA7BE5AB19300F10892FD896E73C2C678E9458B49

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00409C2B

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1145292b874a8e7a56bde58bed546469a1a499fc1dbdbc0264d61b52db470385
Instruction ID: d7c6bb9a1732f6c2eece22a2b410928bcf9985e9f3444315991ea75afaaef588
Opcode Fuzzy Hash: 1145292b874a8e7a56bde58bed546469a1a499fc1dbdbc0264d61b52db470385
Instruction Fuzzy Hash: E4F0F4B1A041088FDB28CF18E992A99B7F5A748305F1002A5D619D3390DA78AE81CF69

Function 004234CE Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002348C), ref: 004234D3

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c83ebaee86b923b47ec218d74108a47e8bb0214f05dc8ef17ebda85afd4cada2
Instruction ID: 1b01da781a1f42b14bf088c4285091799bc00e9a7c54fca4454c541a30810ab4
Opcode Fuzzy Hash: c83ebaee86b923b47ec218d74108a47e8bb0214f05dc8ef17ebda85afd4cada2
Instruction Fuzzy Hash: 539002603521104746112BB06C1D51565A17F48617BD104A5B401C5054DA598621551B

Function 00404986 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

gj, xrefs: 004049DD

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 8e8f698dc4288f7cd721a7a81a634b87765ee1de91585cf515aab87a68fe5fee
Instruction ID: d9eb52a2d6ff44a43e3580116b86408f9a206631cbab7b39ea8bb55ae5343344
Opcode Fuzzy Hash: 8e8f698dc4288f7cd721a7a81a634b87765ee1de91585cf515aab87a68fe5fee
Instruction Fuzzy Hash: 81C126B2D002289BDF44CF9AD8405EEFBF2BFC8310F2AC1A6D81477615D6346A529F91

Function 00416C3F Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 345b0d20b664bc5a7c067b8b85495d146ce8f508c18b5b2458494fa8c5d0ce26
Instruction ID: ec473c390e775c3513d1f4c5f902ffdbdf11d251c2712a84011b28fca20aaef5
Opcode Fuzzy Hash: 345b0d20b664bc5a7c067b8b85495d146ce8f508c18b5b2458494fa8c5d0ce26
Instruction Fuzzy Hash: 5F72E770A087459FCB29CF24C5D0AE9BBF1EF55304F1584AED99A8B342D338E985CB58

Function 00415D9A Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f74d88c168b2656ab75066bc4e011c1757566443c1fcad1fbcf06b528a1986
Instruction ID: 136bcfac07b0c46142f126060f48d767d5d9002a5a6c7f55271a6c6e067ee92a
Opcode Fuzzy Hash: 55f74d88c168b2656ab75066bc4e011c1757566443c1fcad1fbcf06b528a1986
Instruction Fuzzy Hash: 8C72B070A04645DFCB19CF68C5806EDBBB1FF45308F2981AED8598B742C339E991CB59

Function 0041BCD9 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: fa64fecedd4ee0fbc6ebc6d5fd45eff142ec883d8ec5514f9c97111b8272a84e
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 93D18E73C0E9B34A8735812D84582BBEE62AFD175031EC3E2DCE42F389D62B5D9196D4

Function 0041B8B9 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 1a9104bdc18b99a6bc3a57d880f0b00b8efb4b2948f4f82757f4a36a4691901f
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 8DD18E73D1E9B30A8735812D80682ABEE62AFD175031EC3E2DCE42F389D72B5D9195D4

Function 0041B4AD Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 29e0c2194e43b481a6c61040bafb45c2199937250b84d4f9493dc4b244529513
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 24C16E73C0E9B30A8736812D81685ABEE62AFD175031FC3A2DCE42F389D36B5D9195D4

Function 0041B0D9 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 2db7ca3506525dcc090db9a2522c638e963424884ad3e69ae6d01f57f6380b46
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 7AC17173D0E9B3068735812E84686ABEE62AFD175031FC3E29CE42F389D32B5D9495D4

Function 0041462B Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c5e34f9abefec6387e3142de93532e06a17bc948433487153fd85e66a9dea7
Instruction ID: 3d3811311c0e96151038b15cdb33c9c3baef1538c920ea216c41a1bce0e780a6
Opcode Fuzzy Hash: 74c5e34f9abefec6387e3142de93532e06a17bc948433487153fd85e66a9dea7
Instruction Fuzzy Hash: DC812731600644ABDB14EF29C590BFD73A5EB92318F20842FE9569B2C2C77CD9C2CB59

Function 0040CB23 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10288e97197f0ad943ca35c4742294250ec2590f5ea2a5543df369fbf88b7a0a
Instruction ID: 755fc568a246bd0a3aab6df15388740ae6706893d1001b075bd9344283f82762
Opcode Fuzzy Hash: 10288e97197f0ad943ca35c4742294250ec2590f5ea2a5543df369fbf88b7a0a
Instruction Fuzzy Hash: FFC151B48182D9AECF01DFA5D4A09FEBFF4AF1A240B0950DAE5D5A7252C234D720DB64

Function 0040C756 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e054519032d673b283cd141de9047936413c4ec94c95275afdf7b1c1e6e7c11b
Instruction ID: cc05d4957c3f93bbff5645bcbd2bf23a73745bdaee5f26767fd414b38deba9ac
Opcode Fuzzy Hash: e054519032d673b283cd141de9047936413c4ec94c95275afdf7b1c1e6e7c11b
Instruction Fuzzy Hash: 7281E35220E2E18EE71AC73C14E96F63FA11F72100B2EA2EEC4CD4F6D7D665051AD729

Function 0040C4FF Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae54acdac3927cc066ee4afd89015ce1ad81bcf754d871dab6d471837bf2d3e
Instruction ID: ff0af43037c4d522a8ee791cbe8e93d8d44487ff0532052a3f1666816209b0e9
Opcode Fuzzy Hash: aae54acdac3927cc066ee4afd89015ce1ad81bcf754d871dab6d471837bf2d3e
Instruction Fuzzy Hash: CF51F874804298AACF11CFA4C4D05FDBFB0EF5A328F6955BFD8857B282C2356646CB94

Function 0041450F Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b2d21a1de5244f25583c5063fbcf28c6649e746e5830653507aa8b0461497a
Instruction ID: 1b781f1f23d015917a337ea3c6206954a5313e6084e2437016288461132a8366
Opcode Fuzzy Hash: 51b2d21a1de5244f25583c5063fbcf28c6649e746e5830653507aa8b0461497a
Instruction Fuzzy Hash: EF312372A10605ABCB04DF38C4912DEBBE2EF81308F14812FD865DB782D37DA945CB94

Function 00405610 Relevance: .1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866ee34adc6fec30ee19582cd252525266032b464ccb2f20f1e66a817629a287
Instruction ID: 2ccb413243c8e3f3810094ea986113c02d7a387cc67c693c5ca68079d889c8bb
Opcode Fuzzy Hash: 866ee34adc6fec30ee19582cd252525266032b464ccb2f20f1e66a817629a287
Instruction Fuzzy Hash: 2821D872A106716BD7048F65EC8412733A2D7CA3617DB4237DF445B3B1D135B922CAE8

Function 0040A3DC Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040A403
_wcsncpy.LIBCMT ref: 0040A43A
_wcscpy.LIBCMT ref: 0040A444

Strings

\\?\, xrefs: 0040A434, 0040A479, 0040A4E5, 0040A53D
UNC, xrefs: 0040A487

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscpy_wcslen_wcsncpy
String ID: UNC$\\?\
API String ID: 677062453-253988292
Opcode ID: 2abde0defb8e8217f0e08e38dadbd9202aa69e0edf90a9fc0407522747aefdaa
Instruction ID: cd13f9bd72fca169d524aa050727d65a10ef4dcd9f377a8cbe6755f4863ba3db
Opcode Fuzzy Hash: 2abde0defb8e8217f0e08e38dadbd9202aa69e0edf90a9fc0407522747aefdaa
Instruction Fuzzy Hash: 7441AF7294131476DB20AA618C82AEB33687F55748F04442FF954732C2E7BCD6A586AB

Function 00419779 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041979F
_malloc.LIBCMT ref: 004197AC

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

_wcscpy.LIBCMT ref: 004197C5
_wcscat.LIBCMT ref: 004197D0
_wcscat.LIBCMT ref: 004197DB
_wcscat.LIBCMT ref: 00419816
_wcscat.LIBCMT ref: 00419827
_wcslen.LIBCMT ref: 00419840
GlobalAlloc.KERNEL32(00000040,-00000009,?,<html>,00000006), ref: 00419851
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000), ref: 00419872
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0041989A

Strings

</html>, xrefs: 00419821
utf-8"></head>, xrefs: 004197D5
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 004197CA
<html>, xrefs: 004197BE, 004197C3, 004197FB

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscat$Global_wcslen$AllocAllocateByteCharCreateHeapMultiStreamWide_malloc_wcscpy
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4158105118-4209811716
Opcode ID: b13132087b6157768e62f45c8a46c0f1663856c825173c1b80b74b9a5b241520
Instruction ID: 9750a07ada00fadd6417d4a808c8c0194c88b3581ecb1a923ba5d07fa5d26e01
Opcode Fuzzy Hash: b13132087b6157768e62f45c8a46c0f1663856c825173c1b80b74b9a5b241520
Instruction Fuzzy Hash: 1C312A32900205BBDB11BB659C95EEF77789F42724F14415FF810AB2C6DB7C8E81836A

Function 0040E46C Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 174windowCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040E489
_memset.LIBCMT ref: 0040E4A4
ShellExecuteExW.SHELL32(?), ref: 0040E59A
IsWindowVisible.USER32(?), ref: 0040E5D3
ShowWindow.USER32(?,00000000), ref: 0040E5E1
WaitForInputIdle.USER32(?,000007D0), ref: 0040E5EF
GetExitCodeProcess.KERNEL32(?,?), ref: 0040E60C
CloseHandle.KERNEL32(?), ref: 0040E62B
ShowWindow.USER32(?,00000001), ref: 0040E684

Strings

.exe, xrefs: 0040E636
.inf, xrefs: 0040E557
z(D, xrefs: 0040E53A

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_memset_wcslen
String ID: .exe$.inf$z(D
API String ID: 3215649069-3601587883
Opcode ID: bed88ef6189cab0bc2363a68129e730fc28d238946ac4723ee352b551c7a999f
Instruction ID: 3e26098100528e53db86749210a7047ac1cc05a8490cbdb1dbf577081e62715c
Opcode Fuzzy Hash: bed88ef6189cab0bc2363a68129e730fc28d238946ac4723ee352b551c7a999f
Instruction Fuzzy Hash: 8051B571910258BADF31AFA2EC405AE7BB4EF11304F444C7BE841B72E1E77999A5CB09

Function 00419A9D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000000,?,?), ref: 00419AB7

Part of subcall function 00419A36: LoadCursorW.USER32(00000000,00007F00), ref: 00419A6D
Part of subcall function 00419A36: RegisterClassExW.USER32(00000030), ref: 00419A8E

GetWindowRect.USER32(?,?), ref: 00419AD8
GetParent.USER32(?), ref: 00419AEB
MapWindowPoints.USER32(00000000,00000000), ref: 00419AF0
DestroyWindow.USER32(?), ref: 00419AFE
GetParent.USER32(?), ref: 00419B1C
CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 00419B3B
ShowWindow.USER32(?,00000005,?), ref: 00419B6D
SetWindowTextW.USER32(?,00000000), ref: 00419B77
ShowWindow.USER32(00000000,00000005), ref: 00419B8D
UpdateWindow.USER32(?), ref: 00419B96

Strings

RarHtmlClassName, xrefs: 00419B35

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
String ID: RarHtmlClassName
API String ID: 3841971108-1658105358
Opcode ID: 16e1c11b631fea3f24aabbe380a880f14a925712ab14143eb1e2f30964cb5bb4
Instruction ID: a0655035169e6554100d25c4e6de203faa719369231219c5c88fda93c074337e
Opcode Fuzzy Hash: 16e1c11b631fea3f24aabbe380a880f14a925712ab14143eb1e2f30964cb5bb4
Instruction Fuzzy Hash: 0331B035600604EFCB319F65EC48EAFBBB9FF44700F10451AF91692260D735AD51DBA9

Function 00405164 Relevance: 21.1, APIs: 14, Instructions: 91COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00405182
_wcslen.LIBCMT ref: 0040518A
_wcscpy.LIBCMT ref: 0040519A
_wcslen.LIBCMT ref: 004051A0
_wcscpy.LIBCMT ref: 004051B8
_wcslen.LIBCMT ref: 004051BE
_wcscpy.LIBCMT ref: 004051CD
_wcslen.LIBCMT ref: 004051D3
_memset.LIBCMT ref: 004051E8
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405234
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 0040523C
CommDlgExtendedError.COMDLG32(?,?,?,?,?,000000A2), ref: 00405244
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405260
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405268

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FileName_wcscpy_wcslen$OpenSave$CommErrorExtended_memset
String ID:
API String ID: 3496903968-0
Opcode ID: 446a76bb310dad6e5806d0052d9e568853349a282fe8c87d623ef543e340e0f8
Instruction ID: 017447a648ceccb586da1f31f92202068c03838f3088d87860c47b682a039f1a
Opcode Fuzzy Hash: 446a76bb310dad6e5806d0052d9e568853349a282fe8c87d623ef543e340e0f8
Instruction Fuzzy Hash: D531D775901618ABCB11AFA5DC45ACF7BB8EF04314F00002AF904B7281DB38DA958FAE

Function 00419D0B Relevance: 19.6, APIs: 13, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00419D17
CreateCompatibleDC.GDI32(00000000), ref: 00419D27
CreateCompatibleDC.GDI32(?), ref: 00419D2E
GetObjectW.GDI32(?,00000018,?), ref: 00419D3C
CreateCompatibleBitmap.GDI32(?,00000200,00419EBD), ref: 00419D5E
SelectObject.GDI32(00000000,?), ref: 00419D71
SelectObject.GDI32(?,00000200), ref: 00419D7C
StretchBlt.GDI32(?,00000000,00000000,00000200,00419EBD,00000000,00000000,00000000,?,?,00CC0020), ref: 00419D9A
SelectObject.GDI32(00000000,?), ref: 00419DA4
SelectObject.GDI32(?,00419EBD), ref: 00419DAC
DeleteDC.GDI32(00000000), ref: 00419DB5
DeleteDC.GDI32(?), ref: 00419DBA
ReleaseDC.USER32(00000000,?), ref: 00419DC0

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$BitmapReleaseStretch
String ID:
API String ID: 3950507155-0
Opcode ID: c5f4d7ef721d9f2cf6d28cde0393e927751e3943138dffdaa34ce4f2faff49d0
Instruction ID: fe64683af8def945f8560e9c967618457674570685148338231d72a037962566
Opcode Fuzzy Hash: c5f4d7ef721d9f2cf6d28cde0393e927751e3943138dffdaa34ce4f2faff49d0
Instruction Fuzzy Hash: C021A076900218FFCF129FA1DC48DDEBFBAFB48350B104466F914A2120C7369A65EFA4

Function 0041E854 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D8A0,0000000C,0041E98F,00000000,00000000,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 0041E866
__crt_waiting_on_module_handle.LIBCMT ref: 0041E871

Part of subcall function 00421465: Sleep.KERNEL32(000003E8,00000000,?,0041E7B7,KERNEL32.DLL,?,0041E803,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 00421471
Part of subcall function 00421465: GetModuleHandleW.KERNEL32(00000000,?,0041E7B7,KERNEL32.DLL,?,0041E803,?,0041FE78,0041A9BA,?,?,?,0041A9BA,00000000,?), ref: 0042147A

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041E89A
GetProcAddress.KERNEL32(0041A9BA,DecodePointer), ref: 0041E8AA
__lock.LIBCMT ref: 0041E8CC
InterlockedIncrement.KERNEL32(?), ref: 0041E8D9
__lock.LIBCMT ref: 0041E8ED
___addlocaleref.LIBCMT ref: 0041E90B

Strings

DecodePointer, xrefs: 0041E8A2
EncodePointer, xrefs: 0041E88E
KERNEL32.DLL, xrefs: 0041E860, 0041E865, 0041E870

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: d8a1d3b64ce03b740c9770e28a10d8a3d1cb693a8f1fd6d09f99049fe87b25f8
Instruction ID: 28857185edf288c115030afddfc21b3ad53991f12277c54fa87cb1ac16e0dfb5
Opcode Fuzzy Hash: d8a1d3b64ce03b740c9770e28a10d8a3d1cb693a8f1fd6d09f99049fe87b25f8
Instruction Fuzzy Hash: 82119071A40701AFD720AF36D805B9EBBE0AF44314F60456FE8A997290CB78A981CF5D

Function 0040F0C2 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0040F152
_wcscpy.LIBCMT ref: 0040F171
_wcschr.LIBCMT ref: 0040F17F
_wcscpy.LIBCMT ref: 0040F19F
_wcscpy.LIBCMT ref: 0040F229
_wcscpy.LIBCMT ref: 0040F2E1
_wcscpy.LIBCMT ref: 0040F35E

Part of subcall function 00410B9C: _wcsncpy.LIBCMT ref: 00410BB3

SHChangeNotify.SHELL32(00001000,00000005,00000000,00000000), ref: 0040F3F0

Strings

.lnk, xrefs: 0040F321, 0040F331
", xrefs: 0040F157

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscpy$ChangeNotify_wcschr_wcsncpy
String ID: "$.lnk
API String ID: 1911921660-4024015082
Opcode ID: bb3ca6cd81c2d3ad9077df71b8a1193f574709db9a1feafa84c70d00a6701fe0
Instruction ID: e9d5912a6b4b3542aee3cadb88dbd3b5a863ff0206024957ce050cac0ef3000c
Opcode Fuzzy Hash: bb3ca6cd81c2d3ad9077df71b8a1193f574709db9a1feafa84c70d00a6701fe0
Instruction Fuzzy Hash: 5191227280022899DF35DBA5CC49EEEB37CBB44304F4405BBE509F7181EB789AD98B59

Function 0040EEC9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?), ref: 0040EEE6

Part of subcall function 0040A116: _wcslen.LIBCMT ref: 0040A11C
Part of subcall function 0040A116: _wcscat.LIBCMT ref: 0040A13B

_swprintf.LIBCMT ref: 0040EF22

Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29

SetDlgItemTextW.USER32(?,00000066,?), ref: 0040EF44
_wcschr.LIBCMT ref: 0040EF77
_wcscpy.LIBCMT ref: 0040EFBB
_wcscpy.LIBCMT ref: 0040EFE4
_wcscpy.LIBCMT ref: 0040EFF7
MessageBoxW.USER32(?,00000000,00000000,00000024), ref: 0040F027
EndDialog.USER32(?,00000001), ref: 0040F049

Strings

%s%s%d, xrefs: 0040EEFF, 0040EF19

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscpy$DialogItemMessagePathTempText__vswprintf_c_l_swprintf_wcscat_wcschr_wcslen
String ID: %s%s%d
API String ID: 1897388972-1000756122
Opcode ID: f75e7cfbeccc15e09081c60efc06442c44850a7c3c336a2ff36c1e07c701c860
Instruction ID: 7c5ef0a1406295de31e953a15a9408ca88d5d0b5476cb7747de3243763a4baae
Opcode Fuzzy Hash: f75e7cfbeccc15e09081c60efc06442c44850a7c3c336a2ff36c1e07c701c860
Instruction Fuzzy Hash: 325176728001199BDB21DF61DC44BEE77B8FB04308F0445BBEA09E7191E7789AE98F59

Function 004191D8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004191E3
_malloc.LIBCMT ref: 004191F1

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

_wcscpy.LIBCMT ref: 0041920F
_wcslen.LIBCMT ref: 00419215
_wcscpy.LIBCMT ref: 0041925D

Strings

, xrefs: 0041922D
<br>, xrefs: 00419255
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00419209
 , xrefs: 00419292

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscpy_wcslen$AllocateHeap_malloc
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2405444336-406990186
Opcode ID: ef4270a2c62554232e7dcaf25c2b62ab2229b7f12839ff23f0a1ced700b27f0b
Instruction ID: 0e02d37120f5dc5c9773bcbd7ae744d1444ccd80410fa70afd17435bf81929d8
Opcode Fuzzy Hash: ef4270a2c62554232e7dcaf25c2b62ab2229b7f12839ff23f0a1ced700b27f0b
Instruction Fuzzy Hash: BF21FB76904304BBDB20AB54DC41ADAB3B4EF45314B20445BE455A7390E7BC9ED1839E

Function 0040F47B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 0040F4E4
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0040F4F9
GetDlgItem.USER32(?,00000065), ref: 0040F508
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0040F51D
GetSysColor.USER32(0000000F), ref: 0040F521
SendMessageW.USER32(?,00000443,00000000,00000000), ref: 0040F531
SetForegroundWindow.USER32(?), ref: 0040F54B
EndDialog.USER32(?,00000001), ref: 0040F57E

Strings

LICENSEDLG, xrefs: 0040F487

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: MessageSend$Item$ColorDialogForegroundWindow
String ID: LICENSEDLG
API String ID: 3794146707-2177901306
Opcode ID: d29b6d15fe2784098a0e22a55afb32f4fb9deba78a5e36aabb146d1ab528ff85
Instruction ID: 7fefae372e04e04a7da23b2667bfd905224a5402d39c62195e2e2b0091848963
Opcode Fuzzy Hash: d29b6d15fe2784098a0e22a55afb32f4fb9deba78a5e36aabb146d1ab528ff85
Instruction Fuzzy Hash: E521F9312002047BDB31AF61EC45E5B3B6DEB89B10F408436FE15B51E2D6798955CB2C

Function 0040DBC1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0040DBE1
GetClassNameW.USER32(00000000,?,00000800), ref: 0040DC1A

Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409CA8,?,00000000,?,00409DC2,00000000,-00000002,?,00000000,?), ref: 00411E76

GetWindowLongW.USER32(00000000,000000F0), ref: 0040DC38
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0040DC4F
GetObjectW.GDI32(00000000,00000018,?), ref: 0040DC5E

Part of subcall function 00419E13: GetDC.USER32(00000000), ref: 00419E1F
Part of subcall function 00419E13: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00419E2E
Part of subcall function 00419E13: ReleaseDC.USER32(00000000,00000000), ref: 00419E3C

Part of subcall function 00419DD0: GetDC.USER32(00000000), ref: 00419DDC
Part of subcall function 00419DD0: GetDeviceCaps.GDI32(00000000,00000058), ref: 00419DEB
Part of subcall function 00419DD0: ReleaseDC.USER32(00000000,00000000), ref: 00419DF9

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040DC85
DeleteObject.GDI32(00000000), ref: 0040DC90
GetWindow.USER32(00000000,00000002), ref: 0040DC99

Strings

STATIC, xrefs: 0040DC20

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 9567939a25e22092ccbfb99d506bbc14daa15c8c25c728e04901b5a25124ff52
Instruction ID: 65505d2462e9bd66d8f24c48bff8a2f322d46b7930d969d63ebb67ecbc3f0dac
Opcode Fuzzy Hash: 9567939a25e22092ccbfb99d506bbc14daa15c8c25c728e04901b5a25124ff52
Instruction Fuzzy Hash: B321F132A40204BBEB21AB90CC46FEF77B8AF41B50F404026FD04B61C1CBB89D86D66D

Function 0040BF1D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BF8C
_strlen.LIBCMT ref: 0040BFBD
_swprintf.LIBCMT ref: 0040BFDF
_wcschr.LIBCMT ref: 0040C004
_wcsncpy.LIBCMT ref: 0040C038
_wcsrchr.LIBCMT ref: 0040C049
_wcscpy.LIBCMT ref: 0040C067

Strings

%08x, xrefs: 0040BFD4

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcscpy_wcsncpy_wcsrchr
String ID: %08x
API String ID: 3224783807-3682738293
Opcode ID: 2200e9e523ffbcd5ccc4f85804e7305beb7f218704d283e0c38cbcae486b8257
Instruction ID: 07d0537aec3a1dd66ebb0c57739ff8632de72c66deae5d09d2d4ff76284a4df6
Opcode Fuzzy Hash: 2200e9e523ffbcd5ccc4f85804e7305beb7f218704d283e0c38cbcae486b8257
Instruction Fuzzy Hash: 4841E832500219AADB24AB64CC85AFF32ACDF40754F54413BB915E71C1DB7DDD80C6AE

Function 0040A8A1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040A76A: _wcsrchr.LIBCMT ref: 0040A77E

_wcslen.LIBCMT ref: 0040A8D7
_wcscpy.LIBCMT ref: 0040A90C

Part of subcall function 00410BC9: _wcslen.LIBCMT ref: 00410BCF
Part of subcall function 00410BC9: _wcsncat.LIBCMT ref: 00410BE8

_wcslen.LIBCMT ref: 0040A94C
_wcscpy.LIBCMT ref: 0040A9BE

Strings

rar, xrefs: 0040A906
.rar, xrefs: 0040A8B8
sfx, xrefs: 0040A8F7
exe, xrefs: 0040A8E8

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcslen$_wcscpy$_wcsncat_wcsrchr
String ID: .rar$exe$rar$sfx
API String ID: 1023950463-630704357
Opcode ID: 9e98728e43a4f5731da7381b6b017391db5884caad39c64eb22fb19538172cba
Instruction ID: 29a0ca65efafee0ddffcc544de8f71498ac5d95f7ded716494b7ad5447c572c4
Opcode Fuzzy Hash: 9e98728e43a4f5731da7381b6b017391db5884caad39c64eb22fb19538172cba
Instruction Fuzzy Hash: 233106B170431056C3206B259C46A7B63A8DF05794B264C3BF882BB1E1E77C98E2925F

Function 0041963B Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00419654
GetTickCount.KERNEL32 ref: 0041966F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419683
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00419694
TranslateMessage.USER32(?), ref: 0041969E
DispatchMessageW.USER32(?), ref: 004196A8
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000204,?), ref: 00419748
ShowWindow.USER32(?,00000005), ref: 00419753
SetWindowTextW.USER32(?,00000000), ref: 0041975D

Part of subcall function 0041A506: __lock.LIBCMT ref: 0041A524
Part of subcall function 0041A506: ___sbh_find_block.LIBCMT ref: 0041A52F
Part of subcall function 0041A506: ___sbh_free_block.LIBCMT ref: 0041A53E
Part of subcall function 0041A506: RtlFreeHeap.NTDLL(00000000,00000000,0042D658,0000000C,0041EF84,00000000,0042D930,0000000C,0041EFBE,00000000,0041A9AB,?,00425448,00000004,0042DB18,0000000C), ref: 0041A56E
Part of subcall function 0041A506: GetLastError.KERNEL32(?,00425448,00000004,0042DB18,0000000C,0042133E,00000000,0041A9BA,00000000,00000000,00000000,?,0041E966,00000001,00000214), ref: 0041A57F

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Message$Window$CountTick$DispatchErrorFreeHeapLastPeekShowTextTranslate___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 1762286965-0
Opcode ID: 748e2987246eabe4ea9cf9adf1aa4bbad94aab04b0c2a3b2d0d409a63cb1e23e
Instruction ID: 0fcf3197ed2ac79a16e8f935243f891c0de6f754acb5965f6be033bd159a0870
Opcode Fuzzy Hash: 748e2987246eabe4ea9cf9adf1aa4bbad94aab04b0c2a3b2d0d409a63cb1e23e
Instruction Fuzzy Hash: F4412871A00219EFCB10EFA5C8989DEBB79FF49751B10846AF905D7250D738DE81CBA4

Function 004084EE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004084F3
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00408516
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00408535

Part of subcall function 0040A5DB: _wcslen.LIBCMT ref: 0040A5E1

Part of subcall function 00411E60: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409CA8,?,00000000,?,00409DC2,00000000,-00000002,?,00000000,?), ref: 00411E76

_swprintf.LIBCMT ref: 004085CD

Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29

MoveFileW.KERNEL32(?,00000000), ref: 00408639
MoveFileW.KERNEL32(00000000,?), ref: 0040867C

Part of subcall function 00410B9C: _wcsncpy.LIBCMT ref: 00410BB3

Strings

rtmp%d, xrefs: 004085BA

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen_wcsncpy
String ID: rtmp%d
API String ID: 506780119-3303766350
Opcode ID: a91559be58acffd0dc5b452dff065d579de74766ff3e95af3a762548e6537785
Instruction ID: 086441498323e4bc326e09acd5d1366d0aff3811eaae5beb392a373780c828d6
Opcode Fuzzy Hash: a91559be58acffd0dc5b452dff065d579de74766ff3e95af3a762548e6537785
Instruction Fuzzy Hash: DE415E71901218AACB20EB61CE45EDF777CAF00394F0008ABB585B7181EA7D9B959E68

Function 0040AA7D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040AAA4

Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29

_wcschr.LIBCMT ref: 0040AAC2
_wcschr.LIBCMT ref: 0040AAD2
_wcsncpy.LIBCMT ref: 0040AAF8

Strings

%s.%d.tmp, xrefs: 0040AA82
%c:\, xrefs: 0040AA9A

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf_wcsncpy
String ID: %c:\$%s.%d.tmp
API String ID: 2474501127-1021493711
Opcode ID: da4b65786035d2197ed7d49f53fcd311549ea47fe36f06ac93baee63d6beaa20
Instruction ID: b4756b8e91951cb7d51e69898c9cc4431ccaeceaeab60524178106c8bdd82eb4
Opcode Fuzzy Hash: da4b65786035d2197ed7d49f53fcd311549ea47fe36f06ac93baee63d6beaa20
Instruction Fuzzy Hash: 8101042320431169DA20EB769C45C6B73ACDFD93A0B00883FF584E31C1EA78D4A0C27B

Function 004192D0 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004192E2
GetTickCount.KERNEL32 ref: 004192E7
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419316
TranslateMessage.USER32(?), ref: 00419324
DispatchMessageW.USER32(?), ref: 0041932E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041933B
GetTickCount.KERNEL32 ref: 00419341
VariantInit.OLEAUT32(?), ref: 0041934E

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Message$CountTick$DispatchInitPeekTranslateVariant
String ID:
API String ID: 4242828014-0
Opcode ID: 3739eaef324a12835188418d8e4db8062592f3b82a480bdb7c4c47042269d501
Instruction ID: 9cb0af2a0f3e63d9aa0a53d062aebc77c377528e3d470f830326fa06e80cb38f
Opcode Fuzzy Hash: 3739eaef324a12835188418d8e4db8062592f3b82a480bdb7c4c47042269d501
Instruction Fuzzy Hash: C121F7B1E00208AFDB10DFE4D888EEEBBBCEF48305F504866F911E7250D6799E458B61

Function 00419EA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184comCOMMON

Download Yara Rule

APIs

Part of subcall function 00419E75: GetDC.USER32(00000000), ref: 00419E79
Part of subcall function 00419E75: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00419E84
Part of subcall function 00419E75: ReleaseDC.USER32(00000000,00000000), ref: 00419E8F

GetObjectW.GDI32(00000200,00000018,?), ref: 00419ECD
CoCreateInstance.OLE32(0042B208,00000000,00000001,0042B100,?,00000000,?), ref: 00419EFD

Part of subcall function 00419D0B: GetDC.USER32(00000000), ref: 00419D17
Part of subcall function 00419D0B: CreateCompatibleDC.GDI32(00000000), ref: 00419D27
Part of subcall function 00419D0B: CreateCompatibleDC.GDI32(?), ref: 00419D2E
Part of subcall function 00419D0B: GetObjectW.GDI32(?,00000018,?), ref: 00419D3C
Part of subcall function 00419D0B: CreateCompatibleBitmap.GDI32(?,00000200,00419EBD), ref: 00419D5E
Part of subcall function 00419D0B: SelectObject.GDI32(00000000,?), ref: 00419D71
Part of subcall function 00419D0B: SelectObject.GDI32(?,00000200), ref: 00419D7C
Part of subcall function 00419D0B: StretchBlt.GDI32(?,00000000,00000000,00000200,00419EBD,00000000,00000000,00000000,?,?,00CC0020), ref: 00419D9A
Part of subcall function 00419D0B: SelectObject.GDI32(00000000,?), ref: 00419DA4
Part of subcall function 00419D0B: SelectObject.GDI32(?,00419EBD), ref: 00419DAC
Part of subcall function 00419D0B: DeleteDC.GDI32(00000000), ref: 00419DB5
Part of subcall function 00419D0B: DeleteDC.GDI32(?), ref: 00419DBA
Part of subcall function 00419D0B: ReleaseDC.USER32(00000000,?), ref: 00419DC0

Strings

(, xrefs: 00419FA5

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$DeleteRelease$BitmapCapsDeviceInstanceStretch
String ID: (
API String ID: 189428636-3887548279
Opcode ID: 2c95d850f981d7af9c5ed3b9bf4fae1c522e7595f6c5569b0b0a1ef1f992ee39
Instruction ID: d8cf3f11634150c5eb1370622c6fe0712570af28e2ae67cdae83cea958a68594
Opcode Fuzzy Hash: 2c95d850f981d7af9c5ed3b9bf4fae1c522e7595f6c5569b0b0a1ef1f992ee39
Instruction Fuzzy Hash: 21610875A00209EFCB00DFA5D888EEEBBB9FF89704B10845AF815EB250D7759E51CB64

Function 0041947D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00419489
_malloc.LIBCMT ref: 00419493

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

Strings

<style>, xrefs: 00419598
</p>, xrefs: 00419549
<br>, xrefs: 00419560
</style>, xrefs: 004195B3

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AllocateHeap_malloc_wcslen
String ID: </p>$</style>$<br>$<style>
API String ID: 4208083856-1200123991
Opcode ID: 84057df06bfe7753af8be449b5ed96cf61f8b1a65555f0712547b90151fa4e6f
Instruction ID: 25e48dc46573b9320602deb0b34776bf62bfe2b29788b043e296d39cf0375d11
Opcode Fuzzy Hash: 84057df06bfe7753af8be449b5ed96cf61f8b1a65555f0712547b90151fa4e6f
Instruction Fuzzy Hash: 69412477645212B5DB315B1998217FA73A69F01754F68401BED81B32C0E76C8EC2C26D

Function 004113F1 Relevance: 10.6, APIs: 7, Instructions: 134timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00409C06: GetVersionExW.KERNEL32(?), ref: 00409C2B

FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 00411425
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00411435
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00411441
SystemTimeToFileTime.KERNEL32(?,?), ref: 0041144F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00411459
FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 004114A6
SystemTimeToFileTime.KERNEL32(?,?), ref: 00411523

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: b334752188d409053c41308d043ef773f1ba1375d33674074c65fffa3be1e0d1
Instruction ID: 2321c29e0176793db35fe244bdb3b2ca835dfa759224b44d16608c614d02fbda
Opcode Fuzzy Hash: b334752188d409053c41308d043ef773f1ba1375d33674074c65fffa3be1e0d1
Instruction Fuzzy Hash: 40410AB1E00218AFCB14DFA9C8849EEB7F9FF48314B14852FE946E7240D778A945CB64

Function 0040D92D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040D941

Part of subcall function 0041CF3E: __FF_MSGBANNER.LIBCMT ref: 0041CF61
Part of subcall function 0041CF3E: __NMSG_WRITE.LIBCMT ref: 0041CF68
Part of subcall function 0041CF3E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004212F4,00000000,00000001,00000000,?,0041EF2D,00000018,0042D930,0000000C,0041EFBE), ref: 0041CFB5

_wcslen.LIBCMT ref: 0040D981
_wcscat.LIBCMT ref: 0040D998
_wcslen.LIBCMT ref: 0040D99E
_wcscpy.LIBCMT ref: 0040D9CC

Strings

}, xrefs: 0040D970

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcslen$AllocateHeap_malloc_wcscat_wcscpy
String ID: }
API String ID: 2020890722-4239843852
Opcode ID: 87a1d4075c0fbabaaf42ee75a1288eb88e4c448287557cbd43c96a9187b86b14
Instruction ID: a9b9a9eb170ff11f00d7125a4cd00596761e48c06437fb6caf1dcbb108c8f9f0
Opcode Fuzzy Hash: 87a1d4075c0fbabaaf42ee75a1288eb88e4c448287557cbd43c96a9187b86b14
Instruction Fuzzy Hash: 6111B771D0131A59EB25ABE08CC57DB72B8DF00354F10007BE645E22D1EBBC9A99C39D

Function 00411541 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,004116A7,?,?), ref: 00411592
LocalFileTimeToFileTime.KERNEL32(004116A7,?), ref: 004115BE
FileTimeToSystemTime.KERNEL32(004116A7,?), ref: 004115D4
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004115E4
SystemTimeToFileTime.KERNEL32(?,?), ref: 004115F2
SystemTimeToFileTime.KERNEL32(?,?), ref: 004115FC

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Time$File$System$Local$Specific
String ID:
API String ID: 3144155402-0
Opcode ID: f90245df41cc322dafe52bf530a12eef1bc8a67292351d8d3269b2ac88901438
Instruction ID: daaaa78088cd12f13caf2716ff388f37494b9d87aa27411613d97d80370a29eb
Opcode Fuzzy Hash: f90245df41cc322dafe52bf530a12eef1bc8a67292351d8d3269b2ac88901438
Instruction Fuzzy Hash: 92313276D001199BCB14DFD4C840AEFB7B9FF48710F04452AE946E3250E634A945CBA9

Function 0041DD85 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0041DDAD

Part of subcall function 0041A3D6: __getptd.LIBCMT ref: 0041A3E4
Part of subcall function 0041A3D6: __getptd.LIBCMT ref: 0041A3F2

__getptd.LIBCMT ref: 0041DDB7

Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4

__getptd.LIBCMT ref: 0041DDC5
__getptd.LIBCMT ref: 0041DDD3
__getptd.LIBCMT ref: 0041DDDE
_CallCatchBlock2.LIBCMT ref: 0041DE04

Part of subcall function 0041A47B: __CallSettingFrame@12.LIBCMT ref: 0041A4C7

Part of subcall function 0041DEAB: __getptd.LIBCMT ref: 0041DEBA
Part of subcall function 0041DEAB: __getptd.LIBCMT ref: 0041DEC8

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 5eb10d2cb4eb5e2da6c5453d1fe4c56248c4e16d68a7da2668f442ad0aab7930
Instruction ID: e3df1943845817192d3dafa627097d3dc4affc0cfff12b6418408f9c93a4c95a
Opcode Fuzzy Hash: 5eb10d2cb4eb5e2da6c5453d1fe4c56248c4e16d68a7da2668f442ad0aab7930
Instruction Fuzzy Hash: 9E1126B1D00209DFDF00EFA1C445AED7BB0FF04318F10806AF854AB251DB389A519B59

Function 0040D64B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D6AC
CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D6D3

Strings

-, xrefs: 0040D696
z8D, xrefs: 0040D71F

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CharUpper
String ID: -$z8D
API String ID: 9403516-4016828469
Opcode ID: 6e6643a8c5453ab08bb62a8daeba662149a01c951e73f69a55f52de3d79d5015
Instruction ID: 6cb870ea5eaa954c7fe556a8e422e29c236d8a0fbf71e72dd1f5d8a9bc66e192
Opcode Fuzzy Hash: 6e6643a8c5453ab08bb62a8daeba662149a01c951e73f69a55f52de3d79d5015
Instruction Fuzzy Hash: FE21A5B9C0011995DB60B7E98D48BBB66A8FB41304F144177E548B32D2EA7CDECC8B6D

Function 0040680A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040680F

Part of subcall function 00402C8B: __EH_prolog.LIBCMT ref: 00402C90

SetFileSecurityW.ADVAPI32(00000000,00000007,?,?,?,?,00000000,?,00406EF5,?,?,?,?,0040773A,?,?), ref: 00406897
SetFileSecurityW.ADVAPI32(?,00000007,?,00000000,?,00000800,?,0040773A,?,?,?,?,?,00000000,0040839C,?), ref: 004068BE

Strings

SeSecurityPrivilege, xrefs: 00406852
SeRestorePrivilege, xrefs: 00406867

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FileH_prologSecurity
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2167059215-639343689
Opcode ID: 72cefa14781493d3ceb14cba897e291cfc2eee12fd1132a67d2d49c664862da8
Instruction ID: e80266907105dbdc6ea336272c15ef3f26093cba4c1f52b7c6092cd65192489b
Opcode Fuzzy Hash: 72cefa14781493d3ceb14cba897e291cfc2eee12fd1132a67d2d49c664862da8
Instruction Fuzzy Hash: 8D219372901259BEDF21AF55DC01BAF77689B04758F00803BF802B62C1C7BC8A559BAD

Function 0040E1B2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040E1E8
DialogBoxParamW.USER32(GETPASSWORD1,?,0040D477,?,00000007), ref: 0040E22C

Strings

GETPASSWORD1, xrefs: 0040E221
z8D, xrefs: 0040E1CE
z8D, xrefs: 0040E26A

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1$z8D$z8D
API String ID: 3157717868-3779298832
Opcode ID: 8a5930b9f1bd4a7920270691445133db6bb9d1af5357342886f90841ecad1a96
Instruction ID: 2ec29a5f94ea44b227bd1a9c17bea14e87d691145e51ce1093468d312523c58d
Opcode Fuzzy Hash: 8a5930b9f1bd4a7920270691445133db6bb9d1af5357342886f90841ecad1a96
Instruction Fuzzy Hash: B71159717002445BEB21DF62AC80B973B99AB08765F08007BFD446B2D1C7BC8CA0C76D

Function 0040D3EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0040D431
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0040D447
SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D461
SetDlgItemTextW.USER32(?,00000066), ref: 0040D46C

Strings

RENAMEDLG, xrefs: 0040D3FD

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ItemText$Dialog
String ID: RENAMEDLG
API String ID: 1770891597-3299779563
Opcode ID: 762bcebfea9f2beca08e3ffb6bbc5115bfac0753acb3b7587415e25b8287d6f5
Instruction ID: a809f9c23db95260371581c6ee5cd384337b37eb9584205a8113e0e6bfd29c9a
Opcode Fuzzy Hash: 762bcebfea9f2beca08e3ffb6bbc5115bfac0753acb3b7587415e25b8287d6f5
Instruction Fuzzy Hash: 6F01D836A4421877DB205F949C41FBB3B69E705F50F544036FA01B61D0C6BAA8269BAE

Function 00405F3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405F41
_memset.LIBCMT ref: 00405FA4
_memset.LIBCMT ref: 00405FB0
_memset.LIBCMT ref: 00405FCE

Strings

r, xrefs: 00405F4A, 00405F66

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset$H_prolog
String ID: r
API String ID: 3013590873-3291565091
Opcode ID: adb95f05f7a194937a5df8f484bb6bf36145664ded8c6b0a2324601c3f7e7fd4
Instruction ID: fcb346f71e1c6521d09fa93fcec7134e0802dca7d1a5d7d76298086db4932847
Opcode Fuzzy Hash: adb95f05f7a194937a5df8f484bb6bf36145664ded8c6b0a2324601c3f7e7fd4
Instruction Fuzzy Hash: 880144B17417407AD220EB669C46FEBBAA8DB85B18F00041FB255661C2C7FC5941CA9D

Function 0041DAD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041DAEE

Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4

__getptd.LIBCMT ref: 0041DAFF
__getptd.LIBCMT ref: 0041DB0D

Strings

csm, xrefs: 0041DAE7
MOC, xrefs: 0041DAE0

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
Instruction ID: 7ce874268d128f0e9cc5e4e4439fd54cca852ebc00a18d755191ea46e2ae681e
Opcode Fuzzy Hash: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
Instruction Fuzzy Hash: 8EE048755141048FDB50976AC445FA93394EB48318F1504A7E80CC7353D77CE8C0558B

Function 00421BA7 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00421BB3

Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4

__amsg_exit.LIBCMT ref: 00421BD3
__lock.LIBCMT ref: 00421BE3
InterlockedDecrement.KERNEL32(?), ref: 00421C00
InterlockedIncrement.KERNEL32(023216A0), ref: 00421C2B

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: c07a23924f397adfee97157b358641d3c25638586169e8846753b2e06e7a59ec
Instruction ID: 6d4d6cab2ca80c9586acdc371c3e58b42f7918e3e726cea937426c24952e9619
Opcode Fuzzy Hash: c07a23924f397adfee97157b358641d3c25638586169e8846753b2e06e7a59ec
Instruction Fuzzy Hash: 8401C439B40731ABC728AF56A40679E7760BF10724F94012BE804AB3A1CB3C6991DBDD

Function 00411E81 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00411E89
_wcslen.LIBCMT ref: 00411E9A
_wcslen.LIBCMT ref: 00411EAA
_wcslen.LIBCMT ref: 00411EB8
CompareStringW.KERNEL32(00000400,00001001,?,?,00000000,?,?,00000000,?,00409F60,__rar_,00000000,00000006,00000000,?,00000800), ref: 00411ED5

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: a78696411e0fb58170a85e42f91a72465e9b1cb7d1a352a10a0ff52bf1fcbbb8
Instruction ID: fd224344e63f22d7e065bf6fa160c6ce473b51916626f6dd2966927fcf662de7
Opcode Fuzzy Hash: a78696411e0fb58170a85e42f91a72465e9b1cb7d1a352a10a0ff52bf1fcbbb8
Instruction Fuzzy Hash: 5FF02436148148BFDF126F92EC01CDE3F26DB81375B244027FE298A0A0D635C9A29789

Function 0040272E Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00402A44

Strings

;%u, xrefs: 00402A32

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _swprintf
String ID: ;%u
API String ID: 589789837-535004727
Opcode ID: 8d6632be75e15c05decfb529c35803f2aea70f16b1fc9be6edc689b65e1f5e46
Instruction ID: 268b90de5ef8301e543b0e1450f18e5b796866e9caf2f0e9a7a428077d8a2ebb
Opcode Fuzzy Hash: 8d6632be75e15c05decfb529c35803f2aea70f16b1fc9be6edc689b65e1f5e46
Instruction Fuzzy Hash: ADE114702007445ADB24EF75C699BEE77E5AF40304F04053FE996A72C2DBBCA984CB5A

Function 00416790 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416795

Part of subcall function 004129F9: _realloc.LIBCMT ref: 00412A51

Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4

_memset.LIBCMT ref: 004169F6
_memset.LIBCMT ref: 00416BB0

Strings

, xrefs: 00416992

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset$H_prolog_malloc_realloc
String ID:
API String ID: 1826288403-3916222277
Opcode ID: e5527970fedf9361396c35484b990f069b2c3a7e4f541cdd1bc40a5546d77403
Instruction ID: b2eea235d821e150737843ebb12b5e68f22e0a3d12c725fcd3f3b3fef6346f43
Opcode Fuzzy Hash: e5527970fedf9361396c35484b990f069b2c3a7e4f541cdd1bc40a5546d77403
Instruction Fuzzy Hash: 92E1BF71A007499FCB10EF65C980BEEB7B1FF14304F11482EE956A7281DB39E991CB59

Function 00418B3D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00418C26
_wcscpy.LIBCMT ref: 00418C86
_wcscpy.LIBCMT ref: 00418D2D

Strings

T, xrefs: 00418CEF

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcscpy
String ID: T
API String ID: 3048848545-3187964512
Opcode ID: 7b9b9af83664cc87fe2d3df4d2851bf5f64a8acbd8ca5ef161931a2b21923617
Instruction ID: 08ee224434b4342d1c159c2c22343cdeaadf414e9d08c0d11a019e9d32988bbe
Opcode Fuzzy Hash: 7b9b9af83664cc87fe2d3df4d2851bf5f64a8acbd8ca5ef161931a2b21923617
Instruction Fuzzy Hash: 99910871600744AFDF24DF64C884BEAB7F8AF15304F0445AFE95997282CB78AAC4CB65

Function 00406D02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406D07
_wcscpy.LIBCMT ref: 00406D3A

Part of subcall function 00410BC9: _wcslen.LIBCMT ref: 00410BCF
Part of subcall function 00410BC9: _wcsncat.LIBCMT ref: 00410BE8

SetFileTime.KERNEL32(?,?,?,?,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000), ref: 00406E78

Part of subcall function 0040908D: SetFileAttributesW.KERNEL32(00000000,00000000,76F93110,00000001,?,0040933D,00000000,?,?,0040941E,?,00000001,00000000,?,?), ref: 004090A8
Part of subcall function 0040908D: SetFileAttributesW.KERNEL32(?,00000000,00000000,?,00000800,?,0040933D,00000000,?,?,0040941E,?,00000001,00000000,?,?), ref: 004090D5

Strings

:, xrefs: 00406D70

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: File$Attributes$H_prologTime_wcscpy_wcslen_wcsncat
String ID: :
API String ID: 326910402-336475711
Opcode ID: 5e0e7d49851dca55c4deade094d134f4ea512213999111766949daa2ff960fa4
Instruction ID: 6639f4f99703ce1112f5787d69d8c123706ab186ca62756c3ad703d048bc38cc
Opcode Fuzzy Hash: 5e0e7d49851dca55c4deade094d134f4ea512213999111766949daa2ff960fa4
Instruction Fuzzy Hash: D0417F71905258AAEB20EB64CC55EEE737CAF04344F0040ABB556B71C2DB78AF94CF69

Function 0040D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0040D5BE
GetDlgItemTextW.USER32(?,00000065,?,?), ref: 0040D5D3
SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D5E8

Strings

ASKNEXTVOL, xrefs: 0040D54D

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ItemText$Dialog
String ID: ASKNEXTVOL
API String ID: 1770891597-3402441367
Opcode ID: a8a6f44b6775d0cd3294368f2a4b23b4347bfb04fbb05bfaf2c83a68a4392c99
Instruction ID: 7c41b1936654f57e10877f1e9afce92132798bffb5e44c1de30f76ec9c95968c
Opcode Fuzzy Hash: a8a6f44b6775d0cd3294368f2a4b23b4347bfb04fbb05bfaf2c83a68a4392c99
Instruction Fuzzy Hash: 23118135600104BBDB219FA49C45F663775EB0A718F044036FE01FA1E0D77AD825AB59

Function 0041254D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004125BE
_memset.LIBCMT ref: 004125C7

Strings

, xrefs: 0041256C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Exception@8Throw_memset
String ID:
API String ID: 3963884845-3916222277
Opcode ID: 653566bfccebebc550ca30b6af37db387d4266e4fa5bc9fcb69beb97700c845e
Instruction ID: ba4e6bc0ef6041dd665025fb65f45a384477b48ee7e133f8ed84bbd0a598a512
Opcode Fuzzy Hash: 653566bfccebebc550ca30b6af37db387d4266e4fa5bc9fcb69beb97700c845e
Instruction Fuzzy Hash: 60110671E01218BACB14EFA9CAD55DEB776FF54344F10406BE405E7241D6B85BD2CB88

Function 0040D477 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0040D4BE
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 0040D4D6
SetDlgItemTextW.USER32(?,00000066,?), ref: 0040D504

Strings

GETPASSWORD1, xrefs: 0040D489

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1
API String ID: 1770891597-3292211884
Opcode ID: 2c39065e7e84a8441d2400259efe6a077f35be0b7a0eee454e8495a0c984ab02
Instruction ID: 3eed9e1ab7e5d8a1da33783b11a95132ac7616313df89bdc2d2bc64375715bf5
Opcode Fuzzy Hash: 2c39065e7e84a8441d2400259efe6a077f35be0b7a0eee454e8495a0c984ab02
Instruction Fuzzy Hash: 4F11CE329001187ADB219FA1AC44EFB3A6DEF59754F404036FD05B20D0C67CD96A96AA

Function 00410F29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,?,000001B8,0044F590,004110EE,00000020,?,00409901,?,?,?,0040BB60,?,?,00000000,?), ref: 00410F62
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F6C
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F7E

Strings

Thread pool initialization failed., xrefs: 00410F96

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 5d2de00027b14f6e07390935bc826641c20494178e34cc3b56ee4834533d8747
Instruction ID: 3f206ddc5264aa259e24750db78c3e6b08f6c9018291aa2998b68a3e9789e537
Opcode Fuzzy Hash: 5d2de00027b14f6e07390935bc826641c20494178e34cc3b56ee4834533d8747
Instruction Fuzzy Hash: FF115EB1600301AFD3305F659886BE7BBE8FB55315F60482FF6DAC6240D6B458C1CB18

Function 0040E6CF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0040E72A
REPLACEFILEDLG, xrefs: 0040E714, 0040E746

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 9dc2c4e2a994375845b1e54b9a4a57574d7f38f83bee2a11927b5ffac3eaf025
Instruction ID: 0892b1485419df81b4422e2148389c4265d0283c5dc75372e36aae0ff2247616
Opcode Fuzzy Hash: 9dc2c4e2a994375845b1e54b9a4a57574d7f38f83bee2a11927b5ffac3eaf025
Instruction Fuzzy Hash: AF017576604204BFC712AB55EC44A167BD5E74A751F040837F901E32B0D3764865DB6E

Function 0041E132 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0041E145

Part of subcall function 0041E0A0: ___BuildCatchObjectHelper.LIBCMT ref: 0041E0D6

_UnwindNestedFrames.LIBCMT ref: 0041E15C
___FrameUnwindToState.LIBCMT ref: 0041E16A

Strings

csm, xrefs: 0041E141, 0041E156, 0041E169, 0041E187, 0041E197

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: ffb5442ac62a4f85a48ef68d244cd4b92cff39c7c80ea712eb3c4bba393a9d17
Instruction ID: 59b9ad28f981bea14fd5052789bebdc6dccf333051ec123e92fb5a6599f75b08
Opcode Fuzzy Hash: ffb5442ac62a4f85a48ef68d244cd4b92cff39c7c80ea712eb3c4bba393a9d17
Instruction Fuzzy Hash: 14012479401109BBDF126E52CC45EEB3F6AEF09398F044016FD1815261DB3AA8B1EBA9

Function 0040C0F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0040C105
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0040C114

Strings

RTL, xrefs: 0040C10D, 0040C112, 0040C146
LTR, xrefs: 0040C124, 0040C129, 0040C138

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: f2852aa2e9ae8da3690023ec4cfec567c4dc869793b37f459442400b2d93c3ba
Instruction ID: 3bee6f5c2cd76a6cf6446ed83b6680fa0d6a216d229c8f919e909fc3329ffe0a
Opcode Fuzzy Hash: f2852aa2e9ae8da3690023ec4cfec567c4dc869793b37f459442400b2d93c3ba
Instruction Fuzzy Hash: 69F0243238026467DA2067756C4AFE72B7CAB81310F44057AB605E71C1CFA8D499CBEE

Function 00423463 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0041D860), ref: 00423468
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00423478

Strings

IsProcessorFeaturePresent, xrefs: 00423472
KERNEL32, xrefs: 00423463

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 7ab99d9e72488d8bf21e4bf78f78cc33f843bd022a3d825351adfd90e0f12518
Instruction ID: 925bd1e911d968a2cf7935e923f91739ef174afc765d351c528eb22c7f6e48fa
Opcode Fuzzy Hash: 7ab99d9e72488d8bf21e4bf78f78cc33f843bd022a3d825351adfd90e0f12518
Instruction Fuzzy Hash: C7F03060B00A1AD2DB116FA1BC1A67F7B78FB80742FD105D1D6D5E0084DF7885B1D38A

Function 00419A36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00419A6D
RegisterClassExW.USER32(00000030), ref: 00419A8E

Strings

0, xrefs: 00419A4C
RarHtmlClassName, xrefs: 00419A84

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$RarHtmlClassName
API String ID: 1693014935-3342523147
Opcode ID: 191bbc33d2b33050640957ba9683b50acfea39c34108bf4aa43fc12e5a7eb183
Instruction ID: b9ed7023dc6f3226d58ddf2044dfc6b29f2317d5cd4a011e6e0fd8f9270d308a
Opcode Fuzzy Hash: 191bbc33d2b33050640957ba9683b50acfea39c34108bf4aa43fc12e5a7eb183
Instruction Fuzzy Hash: 81F0F2B1D00228ABCB019F9AD844AEEFBF8FF98304F10805BE500B6250D7B916018FA9

Function 0040D5F7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040D610
SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D643

Strings

sfxcmd, xrefs: 0040D60B
sfxpar, xrefs: 0040D63E

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: bac05ca2e549dd4e556f3ae34e89e1e7b45a97b9d2e2d38533528fd9b5159ab4
Instruction ID: 209d7830a902f923c059ddcb8ccd8c76eadbb62e41e0a08ffeb6939b57d6bf06
Opcode Fuzzy Hash: bac05ca2e549dd4e556f3ae34e89e1e7b45a97b9d2e2d38533528fd9b5159ab4
Instruction Fuzzy Hash: 29E0EC3660011437CA102A969C01EBB7A6CDBC1744F1000337E48A2080E979D89E8BED

Function 00410E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,0040FF03,00000001), ref: 00410E21
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410E31

Strings

SetDllDirectoryW, xrefs: 00410E2B
kernel32, xrefs: 00410E1C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetDllDirectoryW$kernel32
API String ID: 1646373207-2052158636
Opcode ID: 613fa81eedf6cfefe4bb79f79fd7d80da4da150b27e50d1fb967e6d6e35de1a2
Instruction ID: d1dc000951ac042e8af12af71ac4f40d64c7c6d3e89629ddd7054994e9706fe8
Opcode Fuzzy Hash: 613fa81eedf6cfefe4bb79f79fd7d80da4da150b27e50d1fb967e6d6e35de1a2
Instruction Fuzzy Hash: 2BD0A7B03243215797282B729C1AB2B65584B50F027944D3E7E0AC0080CA6DC0A0853F

Function 00409135 Relevance: 6.1, APIs: 4, Instructions: 128filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00407536,?,?,?), ref: 004091CD
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00407536,?,?,?,?), ref: 00409204
SetFileTime.KERNEL32(?,00000000,00000000,00000000,?,00407536,?,?,?,?), ref: 00409275
CloseHandle.KERNEL32(?,?,00407536,?,?,?,?), ref: 0040927E

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 6a8276f57ee53cdbc91cc020f39a17d418f5c9fb0df3296a94224ec9e042af11
Instruction ID: 149005b1c5d3a5dbb79089aff48ec9cca0dae1d541df05bff41c4f18bd56acf5
Opcode Fuzzy Hash: 6a8276f57ee53cdbc91cc020f39a17d418f5c9fb0df3296a94224ec9e042af11
Instruction Fuzzy Hash: 1141A131A00248BEEF12DBA4CC49FEE7BB89F05304F1445AAF851BB2D2C6789E45D755

Function 00424FCE Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00425002
__isleadbyte_l.LIBCMT ref: 00425036
MultiByteToWideChar.KERNEL32(00000080,00000009,0041A9BA,?,00000000,00000000,?,?,?,?,0041A9BA,00000000,?), ref: 00425067
MultiByteToWideChar.KERNEL32(00000080,00000009,0041A9BA,00000001,00000000,00000000,?,?,?,?,0041A9BA,00000000,?), ref: 004250D5

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5ede48c89caf3767bd10844c4e2adb50473344288511d083f5bbcd5d287f352f
Instruction ID: 432046cfce088e341913eb2016d1b5e66f5b1b0e2666f0ac1bd271c546b36d2c
Opcode Fuzzy Hash: 5ede48c89caf3767bd10844c4e2adb50473344288511d083f5bbcd5d287f352f
Instruction Fuzzy Hash: C831D131B00265EFDB20DF64EC809BA7BA0EF41310F5685AAE4618B2D1D735D981DB99

Function 00413097 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00412F1C: _memset.LIBCMT ref: 00412F36

_memset.LIBCMT ref: 004130CD
_memset.LIBCMT ref: 004130E0
_memset.LIBCMT ref: 00413120
_memset.LIBCMT ref: 00413133

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 0d338722b2e3e51696f4e1a05dd7a6835afd7bcab5979c6f78e2f817af711592
Instruction ID: dbb621f027503421eccd8689c294ebf88999011181a54c0115c225b35bd7b5a3
Opcode Fuzzy Hash: 0d338722b2e3e51696f4e1a05dd7a6835afd7bcab5979c6f78e2f817af711592
Instruction Fuzzy Hash: 9811487164478069E220EA7A4C46FE3B6DD9B1931CF44883FF2DEC7183C6AA6846C756

Function 00411072 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411077
EnterCriticalSection.KERNEL32(0044F590,?,?,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED,?), ref: 00411085
LeaveCriticalSection.KERNEL32(0044F590,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED,?,?,?), ref: 004110F5

Part of subcall function 0041A89A: _malloc.LIBCMT ref: 0041A8B4

LeaveCriticalSection.KERNEL32(0044F590,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED,?,?,?), ref: 00411100

Part of subcall function 00410F29: InitializeCriticalSection.KERNEL32(000001A0,?,000001B8,0044F590,004110EE,00000020,?,00409901,?,?,?,0040BB60,?,?,00000000,?), ref: 00410F62
Part of subcall function 00410F29: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F6C
Part of subcall function 00410F29: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00409901,?,?,?,0040BB60,?,?,00000000,?,?,004124ED), ref: 00410F7E

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore_malloc
String ID:
API String ID: 1405584564-0
Opcode ID: 3f0bec743d3c3e54beb4ca038bcc84bad5a4a530a73f67f15a7eea00e341295c
Instruction ID: 491e5497db774d6ab3e78c5f78b9db4af1dc916e288055147b814ae628d52a75
Opcode Fuzzy Hash: 3f0bec743d3c3e54beb4ca038bcc84bad5a4a530a73f67f15a7eea00e341295c
Instruction Fuzzy Hash: 1A118234A01321EBD724AF74AC457EABBA4AB0C355F10453BE902E3692DBBC89D1865D

Function 0042332E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00423354

Part of subcall function 00423179: __fltout2.LIBCMT ref: 004231A5

__cftog_l.LIBCMT ref: 0042337A
__cftoe_l.LIBCMT ref: 004233AC

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 44ddc5ebc1807cb1f8dbc3b2ce9dd0a677749795dee404b17e6a32e81244ff51
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: AE11723250015EFBCF125E85EC418EE3F32BB48355B988456FE1859130CA3ACAB2AB85

Function 00411A8F Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C3BF: LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C410
Part of subcall function 0040C3BF: LoadStringW.USER32(?,-004335D5,00000200), ref: 0040C422

_swprintf.LIBCMT ref: 00411AB8

Part of subcall function 0040BC16: __vswprintf_c_l.LIBCMT ref: 0040BC29

GetLastError.KERNEL32(?), ref: 00411AC0
MessageBoxW.USER32(?,00000000,00000096,00000035), ref: 00411AE2
SetLastError.KERNEL32(00000000), ref: 00411AEF

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ErrorLastLoadString$Message__vswprintf_c_l_swprintf
String ID:
API String ID: 2205000856-0
Opcode ID: 68bc4feaeb3ec1ded5fc4cddc0e8f758a38e28cbc6004bdae2a7d7facef01b9c
Instruction ID: 7f3341f69499fe42e6dffd8e50f304e55c87ac1a4f55305a7eb793650ce5b90b
Opcode Fuzzy Hash: 68bc4feaeb3ec1ded5fc4cddc0e8f758a38e28cbc6004bdae2a7d7facef01b9c
Instruction Fuzzy Hash: 74F02732140114ABF71137E08C4AECA379CFB087C5F000277FA01F21A2EA79996487BD

Function 00422313 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042231F

Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4

__getptd.LIBCMT ref: 00422336
__amsg_exit.LIBCMT ref: 00422344
__lock.LIBCMT ref: 00422354

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 2067aca802aea6c84e1c6e0627a9ce2a9215c14d0a893de0c815b7a1e0d9c920
Instruction ID: ac1e04e8c31356b773b53a495aea9e08dc5a2d3a98daccf88dafce2968103349
Opcode Fuzzy Hash: 2067aca802aea6c84e1c6e0627a9ce2a9215c14d0a893de0c815b7a1e0d9c920
Instruction Fuzzy Hash: D2F09631B00720EBDB60FBB6A50279D73A07F44724F54416FE844AB2D1CBBC9942DA5E

Function 00409DF7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409E24
_wcslen.LIBCMT ref: 00409F1F

Strings

__rar_, xrefs: 00409F56

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcslen
String ID: __rar_
API String ID: 176396367-2561138058
Opcode ID: cc00e60038d7e5b00a294da67532c8ff9d8da0984a3b6968a0dc5b622ff721b3
Instruction ID: 2f22db44ea277558b4e0ddbd7bf004989f9b0852302f55cc0e1d63be076b661c
Opcode Fuzzy Hash: cc00e60038d7e5b00a294da67532c8ff9d8da0984a3b6968a0dc5b622ff721b3
Instruction Fuzzy Hash: 2E41A176A0021966DF21AA65CC81BEF336DAF54384F08087BF905B31D3D63DCD9187A9

Function 0040CEF5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0040CEB6: LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CF0E,00000020,?,?,00405D3C,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CEC4
Part of subcall function 0040CEB6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CEDD
Part of subcall function 0040CEB6: GetProcAddress.KERNEL32(00438800,CryptUnprotectMemory), ref: 0040CEE9

GetCurrentProcessId.KERNEL32(00000020,?,?,00405D3C,?,00000020,00000001,00000000,?,00000010,?,?,?,00000001,?,?), ref: 0040CF7C

Strings

CryptUnprotectMemory failed, xrefs: 0040CF75
CryptProtectMemory failed, xrefs: 0040CF3C

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: AddressProc$CurrentLibraryLoadProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 137661620-396321323
Opcode ID: fe221cb1f1ebd7538222251a67e743d79676efd4ab4d459fbc5578979eb1af3c
Instruction ID: d47b55f9d8946329b2d763cf1c5c736fe64ad30a662938a08eea1033a11e378d
Opcode Fuzzy Hash: fe221cb1f1ebd7538222251a67e743d79676efd4ab4d459fbc5578979eb1af3c
Instruction Fuzzy Hash: C411C171304213AFDB09AF349CD197F6756CB41B14724423FF902AA2C2DA388C41529E

Function 0040A19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0040A1B5
_wcspbrk.LIBCMT ref: 0040A1FD

Strings

?*<>|", xrefs: 0040A1F7

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: _wcschr_wcspbrk
String ID: ?*<>|"
API String ID: 3305141221-226352099
Opcode ID: 7f6a6c1d5428e83731d2b65d13748a0e82632fc7d37b167bce2bcb03fdaf0a03
Instruction ID: fc4717308da4314e5704a136f2044a521342e33b833bb001f63317f55d448289
Opcode Fuzzy Hash: 7f6a6c1d5428e83731d2b65d13748a0e82632fc7d37b167bce2bcb03fdaf0a03
Instruction Fuzzy Hash: 1DF0F42912832254DE38A6659805AB333D49F15784F60447FE8D2BA2C2EA3D8CE3C16F

Function 0041DEAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041A429: __getptd.LIBCMT ref: 0041A42F
Part of subcall function 0041A429: __getptd.LIBCMT ref: 0041A43F

__getptd.LIBCMT ref: 0041DEBA

Part of subcall function 0041E9B4: __getptd_noexit.LIBCMT ref: 0041E9B7
Part of subcall function 0041E9B4: __amsg_exit.LIBCMT ref: 0041E9C4

__getptd.LIBCMT ref: 0041DEC8

Strings

csm, xrefs: 0041DED6

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 2d55cb122b51988d1cc7e6481490fc99cbdc11bcbdbc1298bbf42470784b3229
Instruction ID: 7c6b91792d137033b66a9eec197cc920f164d7126653d302a3e0d72df4157e21
Opcode Fuzzy Hash: 2d55cb122b51988d1cc7e6481490fc99cbdc11bcbdbc1298bbf42470784b3229
Instruction Fuzzy Hash: 040162B5C013148ACF389F25D444AEEB3B6AF14315F24441FE44156791DB38DED1DB49

Function 00410EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00410FD9,?,?,00411197,?,?,?,?,?,004111E6), ref: 00410EA6
GetLastError.KERNEL32(?,?,?,?,?,004111E6), ref: 00410EB2

Part of subcall function 00406423: __vswprintf_c_l.LIBCMT ref: 00406441

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410EBB

Memory Dump Source

Source File: 0000000B.00000002.2589002771.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.2588978613.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589062788.000000000044F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2589140790.0000000000452000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: ac3bcd71a64bb110093b5bec46156cf20680403487952e12d0601c5134127ac2
Instruction ID: 79dccacb4fa0009262a18c3e3c709d5502c54047c68cfd859e09497cac206ec9
Opcode Fuzzy Hash: ac3bcd71a64bb110093b5bec46156cf20680403487952e12d0601c5134127ac2
Instruction Fuzzy Hash: 13D0C23260402037C5013B245C05EAE36116B11331BA00722F831602F1CB6909A2429F

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report habHh1BC0L.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\eee.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
habHh1BC0L.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre